Description
The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2) mod_dir, or (3) mod_autoindex.
Remediation
References
Related Vulnerabilities
WordPress Plugin Compact WP Audio Player Cross-Site Scripting (1.9.7)
Drupal Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-13671)
Dolibarr Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-33816)
WordPress Plugin RSVPMaker for Toastmasters Cross-Site Request Forgery (3.3.4)
WordPress Plugin iThemes Exchange:Simple WP Ecommerce Cross-Site Scripting (1.11.18)