| Name | CVE-2013-1939 |
| Description | The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| php-sabredav (PTS) | bullseye | 1.8.12-9 | fixed |
| bookworm, sid | 1.8.12-10 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| owncloud | source | (unstable) | (not affected) | |||
| php-sabredav | source | (unstable) | (not affected) |
- owncloud <not-affected> (Windows version only)
- php-sabredav <not-affected> (running in Windows hosts)
http://owncloud.org/about/security/advisories/oC-SA-2013-016/