CVE-2011-4940

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.

Published: Jun 27, 2012
Updated: Apr 13, 2023
CVE: CVE-2011-4940
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
python / python	2.4.2	2.4.2.x
python / python	2.5.1	2.5.1.x
python / python	2.3.4	2.3.4.x
python / python	2.0.1	2.0.1.x
python / python	2.3.1	2.3.1.x
python / python	0.9.1	0.9.1.x
python / python	2.1.2	2.1.2.x
python / python	0.9.0	0.9.0.x
python / python	1.6.1	1.6.1.x
python / python	2.2.1	2.2.1.x
python / python	2.5.4	2.5.4.x
python / python	1.3	1.3.x
python / python	2.2.2	2.2.2.x
python / python	2.1.1	2.1.1.x
python / python	1.5.2	1.5.2.x
python / python	2.3.3	2.3.3.x
python / python	2.3.2	2.3.2.x
python / python	1.6	1.6.x
python / python	1.2	1.2.x
python / python	2.4.6	2.4.6.x
python / python	2.2.3	2.2.3.x
python / python	2.5.2	2.5.2.x
python / python	2.3.7	2.3.7.x
python / python	-	2.5.6.x
python / python	2.5.3	2.5.3.x
python / python	2.4.4	2.4.4.x
python / python	2.3.5	2.3.5.x
python / python	2.1.3	2.1.3.x
python / python	2.4.1	2.4.1.x
python / python	2.4.3	2.4.3.x
python / python	2.6.6	2.6.6.x
python / python	2.6.1	2.6.1.x
python / python	2.6.3	2.6.3.x
python / python	2.6.4	2.6.4.x
python / python	2.6.2	2.6.2.x
python / python	2.6.5	2.6.5.x
python / python	2.7.1	2.7.1.x
python / python	2.7.1-rc1	2.7.1-rc1.x
python / python	2.7.2-rc1	2.7.2-rc1.x

Vulnerability Database

289,599

CVE-2011-4940