CVE-2013-1939
Description
SabreDAV HTML/Browser plugin on Windows allows arbitrary file read via backslash path traversal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SabreDAV HTML/Browser plugin on Windows allows arbitrary file read via backslash path traversal.
Vulnerability
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, fails to properly handle Windows path separators. When running on Windows, the plugin does not validate backslash (\) characters in the base path, allowing directory traversal [1].
Exploitation
An attacker can send a crafted HTTP request to the SabreDAV server with a base path containing \ sequences (e.g., \..\..\). No authentication is required; the attacker only needs network access to the affected service [1].
Impact
Successful exploitation allows reading arbitrary files from the server's filesystem, leading to information disclosure of sensitive data [1][2].
Mitigation
Fixed versions: SabreDAV 1.6.9, 1.7.7, and 1.8.5. Users should upgrade to these versions or later. If upgrading is not possible, consider disabling the HTML\Browser plugin or running the server on a non-Windows platform [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sabre/davPackagist | >= 1.7.0, < 1.7.7 | 1.7.7 |
sabre/davPackagist | >= 1.8.0, < 1.8.5 | 1.8.5 |
sabre/davPackagist | >= 1.6.0, < 1.6.9 | 1.6.9 |
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- owncloud.org/about/security/advisories/oC-SA-2013-016/nvdVendor Advisory
- github.com/advisories/GHSA-qg5v-jw6f-rpfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-1939ghsaADVISORY
- owncloud.org/about/security/advisories/oC-SA-2013-016ghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/sabre/dav/CVE-2013-1939.yamlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/nvdWEB
News mentions
0No linked articles in our index yet.