CVE-2019-19576 – verot/class.upload.php

Package

Manager: composer
Name: verot/class.upload.php
Vulnerable Version: >=0 <1.0.3 || >=2.0.0 <2.0.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.44137 pctl0.97461

Details

Remote code execution in verot/class.upload.php class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.

Metadata

Created: 2020-01-16T22:17:40Z
Modified: 2021-08-19T16:24:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-r5gm-4p5w-pq2p/GHSA-r5gm-4p5w-pq2p.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-r5gm-4p5w-pq2p
Finding: F027
Auto approve: 1