CVE-2008-5080 — Cross-site Scripting in Awstats

CWE-79 — Cross-site Scripting8 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 39.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Awstats Debian Awstats

Timeline

PublishedDec 3

Latest updateMay 17

Description

awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/awstats< awstats 6.7.dfsg-5.1 (bookworm)

▶Debianawstats/awstats< 6.7.dfsg-5.1+3

▶NVDawstats/awstats6.8+18

🔴Vulnerability Details

GHSA

GHSA-hmvc-j5gw-8prm: awstats↗2022-05-17

▶

OSV

CVE-2008-5080: awstats↗2008-12-03

▶

📋Vendor Advisories

Ubuntu

AWStats vulnerability↗2008-12-04

▶

Debian

CVE-2008-5080: awstats - awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters,...↗2008

▶

Red Hat

awstats: incomplete fix for CVE-2008-3714 XSS issue↗

▶

📐Framework References

CWE

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')↗

▶

💬Community

Bugzilla

CVE-2008-5080 awstats: incomplete fix for CVE-2008-3714 XSS issue↗2008-12-03

▶