CVE-2013-1939

The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.

Published: Mar 14, 2014
Updated: Apr 13, 2023
CVE: CVE-2013-1939
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
fruux / sabredav	1.6.0	1.6.9
fruux / sabredav	1.7.0	1.7.7
fruux / sabredav	1.8.0	1.8.5
owncloud / owncloud	4.0.0	4.0.14
owncloud / owncloud	4.5.0	4.5.9
owncloud / owncloud	5.0.0	5.0.4

http://owncloud.org/about/security/advisories/oC-SA-2013-016/
https://groups.google.com/forum/?fromgroups=#!topic/sabredav-discuss/ehOUu7wTSGQ
https://groups.google.com/forum/?fromgroups=#%21topic/sabredav-discuss/ehOUu7wTSGQ

Vulnerability Database

289,697

CVE-2013-1939