Description
Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.
Remediation
References
Related Vulnerabilities
WordPress Plugin Event Tickets CSV Injection (4.10.7.1)
WP Plugin Contact Form 7 Improper Validation of Integrity Check Value Vulnerability (CVE-2025-3247)
ownCloud Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-2048)
WordPress Plugin uTubeVideo Gallery Unspecified Vulnerability (2.0.4)
WordPress Plugin CBI Referral Manager Cross-Site Scripting (1.2.1)