CVE-2006-2237 : The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled,

The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.

Published 2006-05-08 23:02:00

Updated 2025-04-03 01:03:51

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2006-2237

Awstats » Awstats » Version: 6.4
cpe:2.3:a:awstats:awstats:6.4:*:*:*:*:*:*:*
Matching versions
Awstats » Awstats » Version: 6.5
cpe:2.3:a:awstats:awstats:6.5:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2006-2237

EPSS FAQ

90.60%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2006-2237

AWStats migrate Remote Command Execution

Disclosure Date: 2006-05-04

First seen: 2020-04-26

exploit/unix/webapp/awstats_migrate_exec

This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based payloads are recommended with this module. The vulnerability is only present when AllowToUpdateStatsFromBrowser is enabled

More information

CVSS scores for CVE-2006-2237

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.1	MEDIUM	AV:N/AC:H/Au:N/C:P/I:P/A:P	4.9	6.4	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

References for CVE-2006-2237

http://secunia.com/advisories/20186

About Secunia Research | Flexera
http://secunia.com/advisories/20710

About Secunia Research | Flexera

CVEs referencing this url
http://www.securityfocus.com/bid/17844

AWStats Remote Arbitrary Command Execution Vulnerability
http://www.vuxml.org/freebsd/2df297a2-dc74-11da-a22b-000c6ec775d9.html

VuXML: awstats -- arbitrary command execution vulnerability
http://secunia.com/advisories/20170

About Secunia Research | Flexera
https://exchange.xforce.ibmcloud.com/vulnerabilities/26287

AWStats migrate parameter command execution CVE-2006-2237 Vulnerability Report
http://www.osvdb.org/25284

404 Not Found
Patch
http://security.gentoo.org/glsa/glsa-200606-06.xml

AWStats: Remote execution of arbitrary code (GLSA 200606-06) — Gentoo security

CVEs referencing this url
http://www.novell.com/linux/security/advisories/2006_33_awstats.html

404 Page Not Found | SUSE

CVEs referencing this url
http://secunia.com/advisories/19969

About Secunia Research | Flexera
Patch;Vendor Advisory
http://www.vupen.com/english/advisories/2006/1678

Site en construction
http://www.osreviews.net/reviews/comm/awstats

OS Reviews - AWStats: Flexible but Insecure

CVEs referencing this url
http://awstats.sourceforge.net/awstats_security_news.php

AWStats - Security news and annoucements
https://usn.ubuntu.com/285-1/
http://secunia.com/advisories/20496

About Secunia Research | Flexera

CVEs referencing this url
http://www.debian.org/security/2006/dsa-1058

[SECURITY] [DSA 1058-1] New awstats packages fix arbitrary command execution

Jump to

Vulnerability Details : CVE-2006-2237

Products affected by CVE-2006-2237

Exploit prediction scoring system (EPSS) score for CVE-2006-2237

Metasploit modules for CVE-2006-2237

AWStats migrate Remote Command Execution

CVSS scores for CVE-2006-2237

References for CVE-2006-2237