CVE-2005-1527

awstats < 6.4 - Remote Code Execution via HTTP Referrer in URLPlugin

Title source: llm
STIX 2.1

Description

Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call.

References (11)

Core 11
Core References
Broken Link, Patch vdb-entry x_refsource_osvdb
http://www.osvdb.org/18696
Broken Link vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/167-1/
Broken Link, Vendor Advisory x_refsource_misc
http://www.securiteam.com/unixfocus/5DP0J00GKE.html
Broken Link vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2005_19_sr.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2005/dsa-892
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17463
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/21769
Broken Link, Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/16412
Broken Link, Patch, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1014636
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/14525

Scores

EPSS 0.0267
EPSS Percentile 83.9%

Details

CWE
CWE-94
Status published
Products (4)
awstats/awstats < 6.4
canonical/ubuntu_linux 5.04
debian/debian_linux 3.0
debian/debian_linux 3.1
Published Aug 15, 2005
Tracked Since Feb 18, 2026