It was discovered that AWStats did not correctly filter the LoadPlugin configuration option. A local attacker on a shared system could use this to inject arbitrary code into AWStats.