CVE-2006-2237 — awstats - missing input sanitising

Description

The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.

How to fix CVE-2006-2237

To remediate CVE-2006-2237, upgrade the affected package to a fixed version below.

Debian/awstats—upgrade to 6.5-2 or later
Debian/awstats—upgrade to 6.4-1sarge2 or later

Is CVE-2006-2237 being exploited?

Likely — EPSS is 90.6%, placing CVE-2006-2237 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 6.5-2
from 0, < 6.4-1sarge2

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2006-2237