CVE-2013-1939 – sabre/dav

Package

Manager: composer
Name: sabre/dav
Vulnerable Version: >=1.7.0 <1.7.7 || >=1.8.0 <1.8.5 || >=1.6.0 <1.6.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0023 pctl0.45749

Details

SabreDAV Directory Traversal vulnerability The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a `\` (backslash) character.

Metadata

Created: 2022-05-14T01:52:20Z
Modified: 2023-07-07T15:45:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qg5v-jw6f-rpfj/GHSA-qg5v-jw6f-rpfj.json
CWE IDs: ["CWE-20", "CWE-22"]
Alternative ID: GHSA-qg5v-jw6f-rpfj
Finding: F063
Auto approve: 1