In AWStats up to and including 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
awstats awstats |
||
debian debian linux 9.0 |
||
fedoraproject fedora 32 |