CVE-2013-1939
SabreDAV 1.6.0-1.6.8, 1.7.0-1.7.6 - Path Traversal via Backslash Character
Title source: llmDescription
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.
References (2)
Core 2
Core References
Mailing List x_refsource_confirm
https://groups.google.com/forum/?fromgroups=#%21topic/sabredav-discuss/ehOUu7wTSGQ
Vendor Advisory x_refsource_confirm
http://owncloud.org/about/security/advisories/oC-SA-2013-016/
Scores
EPSS
0.0023
EPSS Percentile
45.7%
Details
CWE
CWE-20
Status
published
Products (3)
fruux/sabredav
1.6.0 - 1.6.9
owncloud/owncloud_server
4.0.0 - 4.0.14
sabre/dav
1.7.0 - 1.7.7Packagist
Published
Mar 14, 2014
Tracked Since
Feb 18, 2026