Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
2.4.52-1ubuntu4.182.4.58-1ubuntu8.102.4.64-1ubuntu3.22.4.6-2ubuntu22.4.6-2ubuntu32.4.6-2ubuntu42.4.7-1ubuntu12.4.7-1ubuntu22.4.7-1ubuntu32.4.7-1ubuntu42.4.7-1ubuntu4.12.4.7-1ubuntu4.102.4.7-1ubuntu4.11+24 more2.4.12-2ubuntu22.4.17-1ubuntu12.4.17-2ubuntu12.4.17-3ubuntu12.4.18-1ubuntu12.4.18-2ubuntu12.4.18-2ubuntu22.4.18-2ubuntu32.4.18-2ubuntu3.12.4.18-2ubuntu3.10+27 more2.4.27-2ubuntu32.4.29-1ubuntu12.4.29-1ubuntu22.4.29-1ubuntu32.4.29-1ubuntu42.4.29-1ubuntu4.12.4.29-1ubuntu4.102.4.29-1ubuntu4.112.4.29-1ubuntu4.122.4.29-1ubuntu4.13+25 more2.4.41-1ubuntu12.4.41-4ubuntu12.4.41-4ubuntu22.4.41-4ubuntu32.4.41-4ubuntu3.12.4.41-4ubuntu3.102.4.41-4ubuntu3.112.4.41-4ubuntu3.122.4.41-4ubuntu3.132.4.41-4ubuntu3.14+15 moreExploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:LCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L