On 25 mars 2026 12:04, "Chris Lamb" <[email protected]> wrote:
> Package: awstats > Version: 7.6+dfsg-2+deb10u2 > X-Debbugs-CC: [email protected] > Severity: grave > Tags: security > > Hi, Hi Chris, > The following vulnerability was recently published for awstats. > > CVE-2025-63261[0]: > | AWStats 8.0 is vulnerable to Command Injection via the open function > > Christian, let me know if you would like me to prepare an update > for unstable. I note that you recently took over the package, but > I can't quite work out where the canonical Git repo is now; the > one at debian/awstats on Salsa is outdated. I'm not sure, but from the pdf file, the injection is only possible if the awstats.conf is modified with a special string. If someone can modify the configuration file then the machine is probably already compromised. ,---- | Requirements: | | To perform this exploit, an attacker must find a way to create or modify the | “awstats.confˮ file with malicious content as well as the ability to | create files with arbitrary names on the system `---- Christian
