CVE-2011-4940

2012-06-2700:00:00

ubuntu.com

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

74.0%

JSON

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer
in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2
does not place a charset parameter in the Content-Type HTTP header, which
makes it easier for remote attackers to conduct cross-site scripting (XSS)
attacks against Internet Explorer 7 via UTF-7 encoding.

Bugs

Notes

Author	Note
tyhicks	A duplicate CVE was incorrectly assigned as CVE-2012-2639

OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchpython2.4< 2.4.5-1ubuntu4.4UNKNOWN
ubuntu8.04noarchpython2.5< 2.5.2-2ubuntu6.2UNKNOWN
ubuntu10.04noarchpython2.6< 2.6.5-1ubuntu6.1UNKNOWN
ubuntu11.04noarchpython2.6< 2.6.6-6ubuntu7.1UNKNOWN
ubuntu11.04noarchpython2.7< 2.7.1-5ubuntu2.2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.04	noarch	python2.4	< 2.4.5-1ubuntu4.4	UNKNOWN
ubuntu	8.04	noarch	python2.5	< 2.5.2-2ubuntu6.2	UNKNOWN
ubuntu	10.04	noarch	python2.6	< 2.6.5-1ubuntu6.1	UNKNOWN
ubuntu	11.04	noarch	python2.6	< 2.6.6-6ubuntu7.1	UNKNOWN
ubuntu	11.04	noarch	python2.7	< 2.7.1-5ubuntu2.2	UNKNOWN