diff -Nru awstats-7.8/debian/changelog awstats-7.8/debian/changelog
--- awstats-7.8/debian/changelog	2021-02-02 07:56:57.000000000 +0000
+++ awstats-7.8/debian/changelog	2022-12-04 19:52:31.000000000 +0000
@@ -1,3 +1,16 @@
+awstats (7.8-3) unstable; urgency=medium
+
+  * QA upload.
+
+  [ Debian Janitor ]
+  * Bump debhelper from old 12 to 13.
+  * Avoid invoking dpkg-parsechangelog.
+
+  [ Salvatore Bonaccorso ]
+  * fix cross site scripting (CVE-2022-46391) (Closes: #1025410)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 04 Dec 2022 20:52:31 +0100
+
 awstats (7.8-2) unstable; urgency=high
 
   * QA upload.
diff -Nru awstats-7.8/debian/control awstats-7.8/debian/control
--- awstats-7.8/debian/control	2021-02-02 07:56:57.000000000 +0000
+++ awstats-7.8/debian/control	2022-12-04 19:52:31.000000000 +0000
@@ -2,7 +2,7 @@
 Section: web
 Priority: optional
 Maintainer: Debian QA Group <packages@qa.debian.org>
-Build-Depends: debhelper-compat (= 12), ant, default-jdk, sharutils
+Build-Depends: debhelper-compat (= 13), ant, default-jdk, sharutils
 Vcs-Git: https://salsa.debian.org/debian/awstats.git
 Vcs-Browser: https://salsa.debian.org/debian/awstats
 Standards-Version: 4.1.3
diff -Nru awstats-7.8/debian/patches/fix-cross-site-scripting.patch awstats-7.8/debian/patches/fix-cross-site-scripting.patch
--- awstats-7.8/debian/patches/fix-cross-site-scripting.patch	1970-01-01 00:00:00.000000000 +0000
+++ awstats-7.8/debian/patches/fix-cross-site-scripting.patch	2022-12-04 19:52:31.000000000 +0000
@@ -0,0 +1,29 @@
+From: rekter0 <58881147+rekter0@users.noreply.github.com>
+Date: Mon, 7 Nov 2022 15:12:03 +0100
+Subject: fix cross site scripting
+Origin: https://github.com/eldy/AWStats/commit/38682330e1ec3f3af95f9436640358b2d9e4a965
+Bug: https://github.com/eldy/AWStats/pull/226
+Bug-Debian: https://bugs.debian.org/1025410
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-46391
+
+xss due to printing response from Net::XWhois without proper checks
+---
+ wwwroot/cgi-bin/plugins/hostinfo.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/wwwroot/cgi-bin/plugins/hostinfo.pm b/wwwroot/cgi-bin/plugins/hostinfo.pm
+index 95b2c20b7b91..1f0ac699459d 100644
+--- a/wwwroot/cgi-bin/plugins/hostinfo.pm
++++ b/wwwroot/cgi-bin/plugins/hostinfo.pm
+@@ -181,7 +181,7 @@ sub BuildFullHTMLOutput_hostinfo {
+ 
+ 	&tab_head("Full Whois Field",0,0,'whois');
+ 	if ($w && $w->response()) {
+-		print "<tr><td class=\"aws\"><pre>".($w->response())."</pre></td></tr>\n";
++		print "<tr><td class=\"aws\"><pre>".CleanXSS($w->response())."</pre></td></tr>\n";
+ 	}
+ 	else {
+ 		print "<tr><td><br />The Whois command failed.<br />Did the server running AWStats is allowed to send WhoIs queries (If a firewall is running, port 43 should be opened from inside to outside) ?<br /><br /></td></tr>\n";
+-- 
+2.38.1
+
diff -Nru awstats-7.8/debian/patches/series awstats-7.8/debian/patches/series
--- awstats-7.8/debian/patches/series	2021-02-02 07:56:57.000000000 +0000
+++ awstats-7.8/debian/patches/series	2022-12-04 19:52:31.000000000 +0000
@@ -11,3 +11,4 @@
 2008_twitter.patch
 2009_googlesearch.patch
 0013-Only-look-for-configuration-in-dedicated-awstats-dir.patch
+fix-cross-site-scripting.patch
diff -Nru awstats-7.8/debian/rules awstats-7.8/debian/rules
--- awstats-7.8/debian/rules	2021-02-02 07:56:57.000000000 +0000
+++ awstats-7.8/debian/rules	2022-12-04 19:52:31.000000000 +0000
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-DEB_VERSION := $(shell dpkg-parsechangelog | sed -n -e 's/^Version: //p')
+include /usr/share/dpkg/pkg-info.mk
 DEB_UPSTREAM_VERSION := $(shell echo $(DEB_VERSION) | cut -d+ -f1)
 
 %: