Description
Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.
Remediation
References
Related Vulnerabilities
EspoCRM Improper Neutralization of Formula Elements in a CSV File Vulnerability (CVE-2022-38844)
WordPress Plugin CM Pop-Up banners for WordPress Cross-Site Scripting (1.4.10)
WordPress Plugin post highlights Cross-Site Scripting (2.6)
WordPress Plugin Social Slider Widget Cross-Site Scripting (1.8.4)