CVE-2019-19634

CRITICAL9.8EPSS 15.0%

class.upload.php in verot.net omits .pht from the set of dangerous file extensions

發布日:2020/2/28修改日:2023/11/8

描述

class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

受影響套件(1)

Packagist/verot/class.upload.phpfrom 0, <= 1.0.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-19634
WEBhttps://github.com/jra89/CVE-2019-19634
WEBhttps://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068
WEBhttps://medium.com/@jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e