Home/Product/awstats
Product

awstats

27 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-63261
all versions
AWStats 8.0 is vulnerable to Command Injection via the open function
7.8HIGH
 CVE-2022-46391
>= 7.0 and <= 7.8
AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.
6.1MEDIUM
 CVE-2020-35176
<= 7.8
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it
5.3MEDIUM
 CVE-2020-29600
<= 7.7
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file i
9.8CRITICAL
 CVE-2018-10245
<= 7.6
A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, ob
5.3MEDIUM
 CVE-2017-1000501
<= 7.6.0
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters re
9.8CRITICAL
 CVE-2012-4547
<= 7.0
Unspecified vulnerability in awredir.pl in AWStats before 7.1 has unknown impact and attack vectors.
 CVE-2010-4369
<= 6.95
Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPl
 CVE-2010-4368
<= 6.95
awstats.cgi in AWStats before 7.0 on Windows accepts a configdir parameter in the URL, which allows remote attackers to execute ar
 CVE-2010-4367
<= 6.95
awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary com
 CVE-2009-5020
<= 6.9
Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites
 CVE-2008-5080
<= 6.8
awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-si
 CVE-2008-3714
all versions
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HT
 CVE-2006-3682
<= 6.5_1.857
awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pl
 CVE-2006-3681
<= 6.5_1.857
Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers to
 CVE-2006-2644
all versions
AWStats 6.5, and possibly other versions, allows remote authenticated users to execute arbitrary code by using the configdir param
 CVE-2006-2237
all versions
The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code
 CVE-2006-1945
<= 6.5_1.857
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web
 CVE-2005-2732
<= 6.4
AWStats 6.4, and possibly earlier versions, allows remote attackers to obtain sensitive information via a file that does not exist
 CVE-2005-1527
<= 6.4
Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to exe
 CVE-2005-0438
all versions
awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter.
 CVE-2005-0437
all versions
Directory traversal vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to include arbitrary Perl modules v
 CVE-2005-0436
all versions
Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to execute portions of Perl code
 CVE-2005-0435
all versions
awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to read server web logs by setting the loadplugin and pluginmode paramet
 CVE-2005-0363
all versions
awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the config par
 CVE-2005-0362
all versions
awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "pluginmode",
 CVE-2005-0116
<= 6.3
AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live statistics Live status Privacy policy Terms of service
threatengine.sh