CVE-2010-4368
AWStats < 7.0 - Remote Code Execution via configdir Parameter
Title source: llmDescription
awstats.cgi in AWStats before 7.0 on Windows accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located at a UNC share pathname.
References (3)
Core 3
Core References
US Government Resource third-party-advisory
x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/870532
Product x_refsource_misc
http://awstats.sourceforge.net/docs/awstats_changelog.txt
Exploit x_refsource_misc
http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.html
Scores
EPSS
0.0252
EPSS Percentile
82.9%
Details
CWE
CWE-94
Status
published
Products (33)
awstats/awstats
1.0
awstats/awstats
2.1.
awstats/awstats
2.2.3
awstats/awstats
2.2.4
awstats/awstats
3.0
awstats/awstats
3.1
awstats/awstats
3.2
awstats/awstats
4.0
awstats/awstats
4.1
awstats/awstats
5.0
... and 23 more
Published
Dec 02, 2010
Tracked Since
Feb 18, 2026