cbcvebase.
CVE-2013-1939
published 2014-03-14

CVE-2013-1939: The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly…

PriorityP427medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.78%
75.5th percentile
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianphp-sabredav
fruuxsabredav>= 1.6.0 < 1.6.91.6.9
fruuxsabredav>= 1.7.0 < 1.7.71.7.7
fruuxsabredav>= 1.8.0 < 1.8.51.8.5
owncloudowncloud_server>= 4.0.0 < 4.0.144.0.14
owncloudowncloud_server>= 4.5.0 < 4.5.94.5.9
owncloudowncloud_server>= 5.0.0 < 5.0.45.0.4
sabredav>= 1.6.0 < 1.6.91.6.9
sabredav>= 1.7.0 < 1.7.71.7.7
sabredav>= 1.8.0 < 1.8.51.8.5

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_debian5.0LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.