CVE-2013-1939

EUVD-2022-4965
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
fruuxsabredav
1.6.0 ≤
𝑥
< 1.6.9
fruuxsabredav
1.7.0 ≤
𝑥
< 1.7.7
fruuxsabredav
1.8.0 ≤
𝑥
< 1.8.5
owncloudowncloud_server
4.0.0 ≤
𝑥
< 4.0.14
owncloudowncloud_server
4.5.0 ≤
𝑥
< 4.5.9
owncloudowncloud_server
5.0.0 ≤
𝑥
< 5.0.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php-sabredav
bookworm
1.8.12-10
fixed
bullseye
1.8.12-9
fixed
sid
1.8.12-10
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
owncloud
hardy
dne
lucid
dne
oneiric
not-affected
precise
not-affected
quantal
not-affected
php-sabredav
hardy
dne
lucid
dne
oneiric
dne
precise
dne
quantal
not-affected
Common Weakness Enumeration
References
http://owncloud.org/about/security/advisories/oC-SA-2013-016/
https://groups.google.com/forum/?fromgroups=#%21topic/sabredav-discuss/ehOUu7wTSGQ
http://owncloud.org/about/security/advisories/oC-SA-2013-016/
https://groups.google.com/forum/?fromgroups=#%21topic/sabredav-discuss/ehOUu7wTSGQ