Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
AWStats 8.0 is vulnerable to Command Injection via the open function
AnalysisAI
AWStats 8.0 contains a command injection vulnerability in the open function that allows attackers to execute arbitrary system commands. The vulnerability affects the AWStats web analytics application, and attackers can exploit this flaw to achieve remote code execution on systems running vulnerable versions. A proof-of-concept has been documented in the referenced pentest-tools PDF, indicating practical exploitability.
Technical ContextAI
AWStats is a Perl-based web server log analysis tool that processes log files through CGI scripts. The vulnerability exists in the awstats.pl script within the open function, which likely fails to properly sanitize or validate input parameters before passing them to system command execution routines. This is a classic command injection vulnerability (CWE class) where untrusted user input is concatenated into shell commands without proper escaping or validation. The Perl open function, when used improperly with user-controlled data, can interpret shell metacharacters and execute arbitrary commands with the privileges of the web server process.
RemediationAI
Immediately upgrade AWStats to the latest patched version available from the official GitHub repository (https://github.com/eldy/AWStats). If an immediate patch is unavailable, implement strict input validation and sanitization for all user-supplied parameters passed to the open function, ensuring shell metacharacters are properly escaped or rejected. As an interim measure, restrict access to the awstats.pl CGI script using web server access controls (IP whitelisting, authentication), disable the CGI script entirely if not actively in use, and run the web server with minimal privileges to limit the blast radius of code execution. Consider deploying a Web Application Firewall (WAF) with rules to detect and block command injection payloads targeting AWStats endpoints. Monitor system logs and process execution for suspicious activity originating from the web server process.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208911