CVE-2008-3714
published 2008-08-19CVE-2008-3714: Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a…
PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
5.60%
91.9th percentile
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awstats | awstats | <= 6.8 | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | >= 0 < 6.7.dfsg-5.1 | 6.7.dfsg-5.1 |
| awstats | awstats | >= 0 < 6.7.dfsg-5.1 | 6.7.dfsg-5.1 |
| awstats | awstats | >= 0 < 6.7.dfsg-5.1 | 6.7.dfsg-5.1 |
| awstats | awstats | >= 0 < 6.7.dfsg-5.1 | 6.7.dfsg-5.1 |
| debian | awstats | < awstats 6.7.dfsg-5.1 (bookworm) | awstats 6.7.dfsg-5.1 (bookworm) |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
AWStats vulnerability
vendor_ubuntu·2008-12-04
CVE-2008-3714 AWStats vulnerability
Title: AWStats vulnerability
Summary: AWStats vulnerability
Morgan Todd discovered that AWStats did not correctly strip quotes from
certain parameters, allowing for an XSS attack when running as a CGI.
If a user was tricked by a remote attacker into following a specially
crafted URL, the user's authentication information could be exposed for
the domain where AWStats was hosted.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
awstats: Cross-site scripting (XSS) vulnerability
vendor_redhat·2008-06-23·CVSS 2.6
CVE-2008-3714 [LOW] CWE-79 awstats: Cross-site scripting (XSS) vulnerability
awstats: Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
Debian
CVE-2008-5080: awstats - awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters,...
vendor_debian·2008·CVSS 4.3
CVE-2008-5080 [MEDIUM] CVE-2008-5080: awstats - awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters,...
awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714.
Scope: local
bookworm: resolved (fixed in 6.7.dfsg-5.1)
bullseye: resolved (fixed in 6.7.dfsg-5.1)
forky: resolved (fixed in 6.7.dfsg-5.1)
sid: resolved (fixed in 6.7.dfsg-5.1)
trixie: resolved (fixed in 6.7.dfsg-5.1)
Debian
CVE-2008-3714: awstats - Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows rem...
vendor_debian·2008·CVSS 2.6
CVE-2008-3714 [LOW] CVE-2008-3714: awstats - Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows rem...
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
Scope: local
bookworm: resolved (fixed in 6.7.dfsg-5.1)
bullseye: resolved (fixed in 6.7.dfsg-5.1)
forky: resolved (fixed in 6.7.dfsg-5.1)
sid: resolved (fixed in 6.7.dfsg-5.1)
trixie: resolved (fixed in 6.7.dfsg-5.1)
Red Hat
awstats: incomplete fix for CVE-2008-3714 XSS issue
vendor_redhat·CVSS 4.3
CVE-2008-5080 [MEDIUM] awstats: incomplete fix for CVE-2008-3714 XSS issue
awstats: incomplete fix for CVE-2008-3714 XSS issue
awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714.
GHSA
GHSA-hmvc-j5gw-8prm: awstats
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2008-5080 [MEDIUM] CWE-79 GHSA-hmvc-j5gw-8prm: awstats
awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714.
GHSA
GHSA-5pfp-c3pj-vr5r: Cross-site scripting (XSS) vulnerability in awstats
ghsa_unreviewed·2022-05-02·CVSS 2.6
CVE-2008-3714 [LOW] CWE-79 GHSA-5pfp-c3pj-vr5r: Cross-site scripting (XSS) vulnerability in awstats
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
OSV
CVE-2008-5080: awstats
osv·2008-12-03·CVSS 4.3
CVE-2008-5080 [MEDIUM] CVE-2008-5080: awstats
awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714.
OSV
CVE-2008-3714: Cross-site scripting (XSS) vulnerability in awstats
osv·2008-08-19·CVSS 2.6
CVE-2008-3714 [LOW] CVE-2008-3714: Cross-site scripting (XSS) vulnerability in awstats
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
Suricata
ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt
suricata·2010-07-30
CVE-2008-3714 ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt
ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/awstats/awstats.pl?config="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:url,www.securityfocus.com/bid/30730/info; reference:url,bugzilla.redhat.com/show_bug.cgi?id=474396; reference:url,sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764; reference:cve,2008-3714; classtype:web-application-attack; sid:2010082; rev:6; metadata:created_at 2010_07_30, cve CVE_2008_3714, confidence Medium, signature_severity Major, updated_at 2020_09_10
Bugzilla
CVE-2008-5080 awstats: incomplete fix for CVE-2008-3714 XSS issue
bugzilla·2008-12-03·CVSS 4.3
CVE-2008-5080 [MEDIUM] CVE-2008-5080 awstats: incomplete fix for CVE-2008-3714 XSS issue
CVE-2008-5080 awstats: incomplete fix for CVE-2008-3714 XSS issue
It was discovered that the upstream patch for cross-site scripting (XSS) issue in awstats known as CVE-2008-3714 does not completely resolve the problem and it still allows injection of quote characters.
Improved patch is available in the Debian BTS:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432#21
It strips quotes only after URL-decoding %-escaped strings was done, rather than before.
Patch is included in the Debian security advisory DSA-1679-1:
http://www.debian.org/security/2008/dsa-1679
Discussion:
awstats-6.8-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/awstats-6.8-3.fc10
---
awstats-6.8-3.fc8 has been pushed to the Fedora 8 stable repository. If problems
Bugzilla
CVE-2008-3714 awstats: Cross-site scripting (XSS) vulnerability
bugzilla·2008-08-20·CVSS 2.6
CVE-2008-3714 [LOW] CVE-2008-3714 awstats: Cross-site scripting (XSS) vulnerability
CVE-2008-3714 awstats: Cross-site scripting (XSS) vulnerability
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3714
to the following vulnerability:
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows
remote attackers to inject arbitrary web script or HTML via the query_string,
a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
References:
http://bugs.gentoo.org/show_bug.cgi?id=235225
Upstream patch:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912
Upstream bug report:
http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764
Discussion:
CVE-2008-3714: This issue affects the versions of the awstats package
as shipped with Fedora 8, Fedora 9 a
http://awstats.sourceforge.net/docs/awstats_changelog.txthttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432http://secunia.com/advisories/31519http://secunia.com/advisories/31759http://secunia.com/advisories/32939http://secunia.com/advisories/33002http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764http://www.debian.org/security/2008/dsa-1679http://www.mandriva.com/security/advisories?name=MDVSA-2008:203http://www.securityfocus.com/bid/30730http://www.securitytracker.com/id?1020704http://www.ubuntu.com/usn/usn-686-1http://www.vupen.com/english/advisories/2008/2399https://exchange.xforce.ibmcloud.com/vulnerabilities/44504https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00107.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00355.htmlhttp://awstats.sourceforge.net/docs/awstats_changelog.txthttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432http://secunia.com/advisories/31519http://secunia.com/advisories/31759http://secunia.com/advisories/32939http://secunia.com/advisories/33002http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764http://www.debian.org/security/2008/dsa-1679http://www.mandriva.com/security/advisories?name=MDVSA-2008:203http://www.securityfocus.com/bid/30730http://www.securitytracker.com/id?1020704http://www.ubuntu.com/usn/usn-686-1http://www.vupen.com/english/advisories/2008/2399https://exchange.xforce.ibmcloud.com/vulnerabilities/44504https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00107.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00355.html
2008-08-19
Published