Detections
Analytics

FreeBSD : awstats -- multiple XSS vulnerabilities (27d78386-d35f-11dd-b800-001b77d09812)

medium Nessus Plugin ID 35290

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Secunia reports :

Morgan Todd has discovered a vulnerability in AWStats, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed in the URL to awstats.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the application is running as a CGI script.

Solution

Update the affected packages.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432

http://www.nessus.org/u?61687de8

Plugin Details

Severity: Medium

ID: 35290

File Name: freebsd_pkg_27d78386d35f11ddb800001b77d09812.nasl

Version: 1.17

Type: local

Published: 1/5/2009

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:awstats, p-cpe:/a:freebsd:freebsd:awstats-devel, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 1/4/2009

Vulnerability Publication Date: 3/12/2008

Reference Information

CVE: CVE-2008-3714, CVE-2008-5080

CWE: 79

Secunia: 31519