Description
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
Remediation
References
Related Vulnerabilities
Internet Information Services Integer Overflow or Wraparound Vulnerability (CVE-2008-1446)
Play Framework Uncontrolled Recursion Vulnerability (CVE-2020-26882)
Drupal Core 7.x Multiple Vulnerabilities (7.0)
WordPress Plugin WP eCommerce Cross-Site Scripting (3.9.2)
WordPress Plugin Login Widget With Shortcode Cross-Site Request Forgery (3.1.1)