Improper Input Validation in AWStats through 7.7 Allows Absolute Path Traversal

Improper Input Validation in AWStats through 7.7 Allows Absolute Path Traversal

CVE-2020-29600 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.

Learn more about our Aws Audit.