Description
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
Remediation
References
Related Vulnerabilities
WordPress Plugin Ultimate Category Excluder Cross-Site Request Forgery (1.1)
Apache Tomcat Improper Input Validation Vulnerability (CVE-2011-2526)
b2evolution Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3709)
WordPress Plugin FormGet Contact Form Cross-Site Scripting (5.3)
PleskLin Exposure of Resource to Wrong Sphere Vulnerability (CVE-2023-43784)