Description
The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension.
Remediation
References
Related Vulnerabilities
WordPress 4.5.x Cross-Site Scripting Vulnerability (4.5 - 4.5.1)
WordPress Plugin Recipe Card Blocks for Gutenberg & Elementor Cross-Site Scripting (2.8.2)
WordPress Plugin Zingiri Web Shop Unspecified Vulnerability (2.6.5)
Vulnerable project dependencies
TYPO3 Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2009-3633)