Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2006-2237 — Awstats vulnerability

15 documents10 sources

Severity

5.1MEDIUMNVD

EPSS

90.6%

top 0.38%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Awstats Debian Awstats

Timeline

PublishedMay 8

Latest updateMay 1

Description

The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/awstats< awstats 6.5-2 (bookworm)

▶Debianawstats/awstats< 6.5-2+3

▶NVDawstats/awstats6.4, 6.5+1

Patches

Patch: secunia.com ↗Patch: www.osvdb.org ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-x4mq-2mhg-3c5x: The web interface for AWStats 6↗2022-05-01

▶

OSV

CVE-2006-2237: The web interface for AWStats 6↗2006-05-08

▶

VulnCheck

awstats awstats Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')↗2006

▶

💥Exploits & PoCs

Exploit-DB

AWStats 6.4 < 6.5 - migrate Remote Command Execution (Metasploit)↗2010-07-03

▶

Exploit-DB

Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow↗2007-04-07

▶

Exploit-DB

AWStats 6.5 - 'migrate' Remote Shell Command Injection↗2006-05-06

▶

Exploit-DB

AWStats 6.4 < 6.5 - AllowToUpdateStatsFromBrowser Command Injection (Metasploit)↗2006-05-04

▶

Metasploit

AWStats migrate Remote Command Execution↗

▶

📋Vendor Advisories

Ubuntu

awstats vulnerability↗2006-05-23

▶

Debian

CVE-2006-2237: awstats - The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, ...↗2006

▶

🕵️Threat Intelligence

Unit42

Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities↗2019-12-13

▶

Unit42

Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities↗2019-12-13

▶

💬Community

Bugzilla

CVE-2006-2237: awstats arbitrary code execution vulnerability↗2006-05-06

▶

Bugzilla

CVE-2006-2237: awstats arbitrary code execution vulnerability↗2006-05-06

▶