In AWStats up to and including 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
awstats awstats |
||
debian debian linux 9.0 |
||
fedoraproject fedora 32 |
||
fedoraproject fedora 33 |