The multifilesystem storage backend in Radicale prior to 1.1 allows remote malicious users to read or write to arbitrary files via a crafted component name.
Debian Bug report logs -
#809920
radicale: Upstream version 11 fixes several security issues (CVE-2015-8747 CVE-2015-8748)
Package:
radicale;
Maintainer for radicale is Jonas Smedegaard <dr@jonesdk>; Source for radicale is src:radicale (PTS, buildd, popcon)
Reported by: Felix Knecht <debian@felixknechtde>
Date: Mo ...
Two vulnerabilities were fixed in radicale, a CardDAV/CalDAV server
CVE-2015-8747
The (not configured by default and not available on Wheezy)
multifilesystem storage backend allows read and write access to
arbitrary files (still subject to the DAC permissions of the user
the radicale server is running as)
CVE-2015-8748
If an ...