Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2006-3682 — Sensitive Information Exposure in Awstats

CWE-200 — Sensitive Information Exposure11 documents7 sources

Severity

5.3MEDIUMNVD

NVD5.0OSV5.0

EPSS

7.9%

top 7.93%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Awstats Debian Awstats

Timeline

PublishedJul 21

Latest updateMay 14

Description

awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month parameters.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/awstats< awstats 6.5-2 (bookworm)+1

▶Debianawstats/awstats< 6.5-2+3

▶NVDawstats/awstats6.5_1.857+1

🔴Vulnerability Details

GHSA

GHSA-ccww-jx9f-9pm9: A Full Path Disclosure vulnerability in AWStats through 7↗2022-05-14

▶

GHSA

GHSA-qfgf-w7mw-6qrh: awstats↗2022-05-01

▶

OSV

CVE-2018-10245: A Full Path Disclosure vulnerability in AWStats through 7↗2018-04-20

▶

OSV

CVE-2006-3682: awstats↗2006-07-21

▶

💥Exploits & PoCs

Exploit-DB

AWStats 6.4 - 'AWStats.pl' Multiple Full Path Disclosures↗2009-04-19

▶

📋Vendor Advisories

Debian

CVE-2018-10245: awstats - A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attack...↗2018

▶

Ubuntu

awstats vulnerabilities↗2006-10-10

▶

Debian

CVE-2006-3682: awstats - awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obt...↗2006

▶

💬Community

Bugzilla

CVE-2018-10245 awstats: Full path disclosure vulnerability allows attackers to disclose location of config file↗2018-04-26

▶