Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-4367Code Injection in Awstats

CWE-94Code Injection7 documents7 sources
Severity
7.5HIGHNVD
EPSS
7.3%
top 8.34%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
AwstatsDebian Awstats
Timeline
PublishedDec 2
Latest updateMay 17

Description

awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

debiandebian/awstats< awstats 6.9.5~dfsg-5 (bookworm)
Debianawstats/awstats< 6.9.5~dfsg-5+3
NVDawstats/awstats6.95+32

🔴Vulnerability Details

2
GHSA
GHSA-p75r-4c9j-53m6: awstats2022-05-17
OSV
CVE-2010-4367: awstats2010-12-02

💥Exploits & PoCs

1
Exploit-DB
AWStats 6.x - Apache Tomcat Configuration File Arbitrary Command Execution2010-11-30

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt2011-03-01

📋Vendor Advisories

1
Debian
CVE-2010-4367: awstats - awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, whic...2010

💬Community

1
Bugzilla
CVE-2010-4367 Awstats: arbitrary commands execution via a crafted configdif parameter2010-12-02
CVE-2010-4367 — Code Injection in Debian Awstats | cvebase