CVE-2019-19634

CRITICAL9.8EPSS 15.0%

class.upload.php in verot.net omits .pht from the set of dangerous file extensions

Published: 2/28/2020Modified: 11/8/2023

Description

class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

Affected packages (1)

Packagist/verot/class.upload.phpfrom 0, <= 1.0.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-19634
WEBhttps://github.com/jra89/CVE-2019-19634
WEBhttps://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068
WEBhttps://medium.com/@jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e