CVE-2005-1527 — Code Injection in Awstats

CWE-94 — Code Injection CWE-95 — Eval Injection CWE-318 — Cleartext Storage of Sensitive Information in Executable8 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

1.3%

top 20.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Awstats Debian Awstats Canonical Ubuntu Linux +1 more

Timeline

PublishedAug 15

Latest updateMay 1

Description

Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/awstats< awstats 6.4-1.1 (bookworm)

▶Debianawstats/awstats< 6.4-1.1+3

▶NVDawstats/awstats6.4

Also affects: Debian Linux 3.0, 3.1, Ubuntu Linux 5.04

Patches

Patch: secunia.com ↗Patch: securitytracker.com ↗Patch: www.osvdb.org ↗

🔴Vulnerability Details

GHSA

GHSA-7rg7-c2wp-3xxr: Eval injection vulnerability in awstats↗2022-05-01

▶

OSV

CVE-2005-1527: Eval injection vulnerability in awstats↗2005-08-15

▶

📋Vendor Advisories

Ubuntu

AWStats vulnerability↗2005-08-12

▶

Debian

CVE-2005-1527: awstats - Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a UR...↗2005

▶

📐Framework References

CWE

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')↗

▶

CWE

Improper Control of Generation of Code ('Code Injection')↗

▶

CWE

Cleartext Storage of Sensitive Information in Executable↗

▶