Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Remediation

References

CVE-2014-4650

Related Vulnerabilities

WordPress Plugin Japanized For WooCommerce Cross-Site Scripting (2.5.4)

WordPress Plugin WP Human Resource Management Security Bypass (2.2.14)

WordPress Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2009-3890)

WordPress Plugin WP-Polls SQL Injection (2.61)

WordPress Plugin User Profile Builder-Beautiful User Registration Forms, User Profiles & User Role Editor Unspecified Vulnerability (2.1.3)

Severity

Critical

Classification

CVE-2014-4650 CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities