Description
Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.
Remediation
References
Related Vulnerabilities
Oracle JRE CVE-2017-10295 Vulnerability (CVE-2017-10295)
WordPress Plugin One User Avatar-User Profile Picture Unspecified Vulnerability (2.3.8)
Oracle Database Server CVE-2014-6452 Vulnerability (CVE-2014-6452)
WordPress Plugin WP-SpamFree Anti-Spam Cross-Site Scripting (2.1.1.6)
WordPress Plugin Events Manager Cross-Site Scripting (5.9.5)