CVE-2006-3682
published 2006-07-21CVE-2006-3682: awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month…
PriorityP423medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
9.54%
94.9th percentile
awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month parameters.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awstats | awstats | <= 6.5_1.857 | — |
| awstats | awstats | <= 7.6 | — |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| debian | awstats | < awstats 6.5-2 (bookworm) | awstats 6.5-2 (bookworm) |
| debian | awstats | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_ubuntu2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2018-10245: awstats - A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attack...
vendor_debian·2018·CVSS 5.0
CVE-2018-10245 [MEDIUM] CVE-2018-10245: awstats - A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attack...
A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. The attack can, for example, use the awstats.pl framename and update parameters.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
Ubuntu
awstats vulnerabilities
vendor_ubuntu·2006-10-10·CVSS 2.6
CVE-2006-3681 [LOW] awstats vulnerabilities
Title: awstats vulnerabilities
Summary: awstats vulnerabilities
awstats did not fully sanitize input, which was passed directly to the user's
browser, allowing for an XSS attack. If a user was tricked into following a
specially crafted awstats URL, the user's authentication information could be
exposed for the domain where awstats was hosted. (CVE-2006-3681)
awstats could display its installation path under certain conditions.
However, this might only become a concern if awstats is installed into
an user's home directory. (CVE-2006-3682)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Debian
CVE-2006-3682: awstats - awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obt...
vendor_debian·2006·CVSS 5.0
CVE-2006-3682 [MEDIUM] CVE-2006-3682: awstats - awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obt...
awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month parameters.
Scope: local
bookworm: resolved (fixed in 6.5-2)
bullseye: resolved (fixed in 6.5-2)
forky: resolved (fixed in 6.5-2)
sid: resolved (fixed in 6.5-2)
trixie: resolved (fixed in 6.5-2)
GHSA
GHSA-ccww-jx9f-9pm9: A Full Path Disclosure vulnerability in AWStats through 7
ghsa_unreviewed·2022-05-14·CVSS 5.0
CVE-2018-10245 [MEDIUM] CWE-200 GHSA-ccww-jx9f-9pm9: A Full Path Disclosure vulnerability in AWStats through 7
A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. The attack can, for example, use the awstats.pl framename and update parameters.
GHSA
GHSA-qfgf-w7mw-6qrh: awstats
ghsa_unreviewed·2022-05-01
CVE-2006-3682 [MEDIUM] GHSA-qfgf-w7mw-6qrh: awstats
awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month parameters.
OSV
CVE-2018-10245: A Full Path Disclosure vulnerability in AWStats through 7
osv·2018-04-20·CVSS 5.0
CVE-2018-10245 [MEDIUM] CVE-2018-10245: A Full Path Disclosure vulnerability in AWStats through 7
A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. The attack can, for example, use the awstats.pl framename and update parameters.
OSV
CVE-2006-3682: awstats
osv·2006-07-21·CVSS 5.0
CVE-2006-3682 [MEDIUM] CVE-2006-3682: awstats
awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month parameters.
No detection rules found.
http://pridels0.blogspot.com/2006/04/awstats-65x-multiple-vuln.htmlhttp://secunia.com/advisories/19725http://secunia.com/advisories/22306http://www.ubuntu.com/usn/usn-360-1http://www.vupen.com/english/advisories/2006/1421https://exchange.xforce.ibmcloud.com/vulnerabilities/25880http://pridels0.blogspot.com/2006/04/awstats-65x-multiple-vuln.htmlhttp://secunia.com/advisories/19725http://secunia.com/advisories/22306http://www.ubuntu.com/usn/usn-360-1http://www.vupen.com/english/advisories/2006/1421https://exchange.xforce.ibmcloud.com/vulnerabilities/25880
2006-07-21
Published