CVE-2006-1945
published 2006-04-20CVE-2006-1945: Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config…
PriorityP416low2.6CVSS 2.0
AVNACHAuNCNIPAN
EXPLOIT
EPSS
4.83%
90.9th percentile
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. NOTE: this might be the same core issue as CVE-2005-2732.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awstats | awstats | <= 6.5_1.857 | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.7.dfsg-5.1 | 6.7.dfsg-5.1 |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.7.dfsg-5.1 | 6.7.dfsg-5.1 |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.7.dfsg-5.1 | 6.7.dfsg-5.1 |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.7.dfsg-5.1 | 6.7.dfsg-5.1 |
| debian | awstats | < awstats 6.7.dfsg-5.1 (bookworm) | awstats 6.7.dfsg-5.1 (bookworm) |
| debian | awstats | < awstats 6.5-2 (bookworm) | awstats 6.5-2 (bookworm) |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5pfp-c3pj-vr5r: Cross-site scripting (XSS) vulnerability in awstats
ghsa_unreviewed·2022-05-02·CVSS 2.6
CVE-2008-3714 [LOW] CWE-79 GHSA-5pfp-c3pj-vr5r: Cross-site scripting (XSS) vulnerability in awstats
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
GHSA
GHSA-h828-p7pc-74fc: Cross-site scripting (XSS) vulnerability in awstats
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2006-1945 [MEDIUM] GHSA-h828-p7pc-74fc: Cross-site scripting (XSS) vulnerability in awstats
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. NOTE: this might be the same core issue as CVE-2005-2732.
GHSA
GHSA-j4xf-vwfm-mg7q: Multiple cross-site scripting (XSS) vulnerabilities in awstats
ghsa_unreviewed·2022-05-01·CVSS 2.6
CVE-2006-3681 [LOW] GHSA-j4xf-vwfm-mg7q: Multiple cross-site scripting (XSS) vulnerabilities in awstats
Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) refererpagesfilter, (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5) hostfilter, or (6) hostfilterex parameters, a different set of vectors than CVE-2006-1945.
OSV
CVE-2008-3714: Cross-site scripting (XSS) vulnerability in awstats
osv·2008-08-19·CVSS 2.6
CVE-2008-3714 [LOW] CVE-2008-3714: Cross-site scripting (XSS) vulnerability in awstats
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
OSV
CVE-2006-3681: Multiple cross-site scripting (XSS) vulnerabilities in awstats
osv·2006-07-21·CVSS 2.6
CVE-2006-3681 [LOW] CVE-2006-3681: Multiple cross-site scripting (XSS) vulnerabilities in awstats
Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) refererpagesfilter, (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5) hostfilter, or (6) hostfilterex parameters, a different set of vectors than CVE-2006-1945.
OSV
CVE-2006-1945: Cross-site scripting (XSS) vulnerability in awstats
osv·2006-04-20·CVSS 5.0
CVE-2006-1945 [MEDIUM] CVE-2006-1945: Cross-site scripting (XSS) vulnerability in awstats
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. NOTE: this might be the same core issue as CVE-2005-2732.
Red Hat
awstats: Cross-site scripting (XSS) vulnerability
vendor_redhat·2008-06-23·CVSS 2.6
CVE-2008-3714 [LOW] CWE-79 awstats: Cross-site scripting (XSS) vulnerability
awstats: Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
Debian
CVE-2008-3714: awstats - Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows rem...
vendor_debian·2008·CVSS 2.6
CVE-2008-3714 [LOW] CVE-2008-3714: awstats - Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows rem...
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
Scope: local
bookworm: resolved (fixed in 6.7.dfsg-5.1)
bullseye: resolved (fixed in 6.7.dfsg-5.1)
forky: resolved (fixed in 6.7.dfsg-5.1)
sid: resolved (fixed in 6.7.dfsg-5.1)
trixie: resolved (fixed in 6.7.dfsg-5.1)
Debian
CVE-2006-1945: awstats - Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlie...
vendor_debian·2006·CVSS 5.0
CVE-2006-1945 [MEDIUM] CVE-2006-1945: awstats - Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlie...
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. NOTE: this might be the same core issue as CVE-2005-2732.
Scope: local
bookworm: resolved (fixed in 6.5-2)
bullseye: resolved (fixed in 6.5-2)
forky: resolved (fixed in 6.5-2)
sid: resolved (fixed in 6.5-2)
trixie: resolved (fixed in 6.5-2)
Debian
CVE-2006-3681: awstats - Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5...
vendor_debian·2006·CVSS 2.6
CVE-2006-3681 [LOW] CVE-2006-3681: awstats - Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5...
Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) refererpagesfilter, (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5) hostfilter, or (6) hostfilterex parameters, a different set of vectors than CVE-2006-1945.
Scope: local
bookworm: resolved (fixed in 6.5-2)
bullseye: resolved (fixed in 6.5-2)
forky: resolved (fixed in 6.5-2)
sid: resolved (fixed in 6.5-2)
trixie: resolved (fixed in 6.5-2)
No detection rules found.
Bugzilla
CVE-2008-3714 awstats: Cross-site scripting (XSS) vulnerability
bugzilla·2008-08-20·CVSS 2.6
CVE-2008-3714 [LOW] CVE-2008-3714 awstats: Cross-site scripting (XSS) vulnerability
CVE-2008-3714 awstats: Cross-site scripting (XSS) vulnerability
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3714
to the following vulnerability:
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows
remote attackers to inject arbitrary web script or HTML via the query_string,
a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
References:
http://bugs.gentoo.org/show_bug.cgi?id=235225
Upstream patch:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912
Upstream bug report:
http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764
Discussion:
CVE-2008-3714: This issue affects the versions of the awstats package
as shipped with Fedora 8, Fedora 9 a
Bugzilla
CVE-2006-1945: awstats cross site scripting vulnerability
bugzilla·2006-05-06·CVSS 2.6
CVE-2006-1945 [LOW] CVE-2006-1945: awstats cross site scripting vulnerability
CVE-2006-1945: awstats cross site scripting vulnerability
awstats <= 6.5 reportedly has a cross site scripting vulnerability via the
"config" parameter. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1945
Discussion:
*** Bug 190920 has been marked as a duplicate of this bug. ***
---
Awstats 6.6 is still in beta and did not work for me (update gave "Use of
uninitialized value in substitution (s///) at ..."), so I backported the fix
from CVS instead (it's a two-liner).
FC-5 and FC-4 versions building, devel is updated to 6.6 and I'll keep it
updated when a new beta arrives.
Bugzilla
CVE-2006-1945: awstats cross site scripting vulnerability
bugzilla·2006-05-06·CVSS 2.6
CVE-2006-1945 [LOW] CVE-2006-1945: awstats cross site scripting vulnerability
CVE-2006-1945: awstats cross site scripting vulnerability
+++ This bug was initially created as a clone of Bug #190921 +++
awstats <= 6.5 reportedly has a cross site scripting vulnerability via the
"config" parameter. http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1945
Discussion:
Awstats 6.6 is still in beta and did not work for me (update gave "Use of
uninitialized value in substitution (s///) at ..."), so I backported the fix
from CVS instead (it's a two-liner).
FC-5 and FC-4 versions building, devel is updated to 6.6 and I'll keep it
updated when a new beta arrives.
http://pridels0.blogspot.com/2006/04/awstats-65-vuln.htmlhttp://secunia.com/advisories/20496http://security.gentoo.org/glsa/glsa-200606-06.xmlhttp://www.securityfocus.com/bid/17621http://pridels0.blogspot.com/2006/04/awstats-65-vuln.htmlhttp://secunia.com/advisories/20496http://security.gentoo.org/glsa/glsa-200606-06.xmlhttp://www.securityfocus.com/bid/17621
2006-04-20
Published