CVE-2019-19576
CRITICAL9.8EPSS 50.6%Remote code execution in verot/class.upload.php
Published: 1/16/2020Modified: 11/8/2023
Description
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
Affected packages (1)
- Packagist/verot/class.upload.phpfrom 0, < 1.0.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-19576
- WEBhttp://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html
- WEBhttps://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124
- WEBhttps://github.com/jra89/CVE-2019-19576
- WEBhttps://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1
- WEBhttps://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2
- WEBhttps://github.com/verot/class.upload.php/compare/1.0.2...1.0.3
- WEBhttps://github.com/verot/class.upload.php/compare/2.0.3...2.0.4
- WEBhttps://medium.com/@jra8908/cve-2019-19576-e9da712b779
- WEBhttps://www.verot.net
- WEBhttps://www.verot.net/php_class_upload.htm