CVE-2011-4940
Python < 2.5.6 - Cross-Site Scripting via UTF-7 Encoding in SimpleHTTPServer
Title source: llmDescription
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
References (12)
Core 12
Core References
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1592-1
Third Party Advisory third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN51176027/index.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/51040
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50858
Various Sources x_refsource_confirm
http://bugs.python.org/issue11442
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/54083
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1596-1
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1613-2
Third Party Advisory third-party-advisory
x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2012-000063
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=803500
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/51024
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1613-1
Scores
EPSS
0.0027
EPSS Percentile
50.9%
Details
CWE
CWE-79
Status
published
Products (38)
python/python
0.9.0
python/python
0.9.1
python/python
1.2
python/python
1.3
python/python
1.5.2
python/python
1.6
python/python
1.6.1
python/python
2.0.1
python/python
2.1.1
python/python
2.1.2
... and 28 more
Published
Jun 27, 2012
Tracked Since
Feb 18, 2026