CVE-2019-19634 – verot/class.upload.php

Package

Manager: composer
Name: verot/class.upload.php
Vulnerable Version: >=0 <=1.0.3 || >=2.0.0 <=2.0.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.15025 pctl0.94316

Details

class.upload.php in verot.net omits .pht from the set of dangerous file extensions class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

Metadata

Created: 2020-02-28T01:10:17Z
Modified: 2021-08-19T19:29:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-2gc7-w4hw-rr2m/GHSA-2gc7-w4hw-rr2m.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-2gc7-w4hw-rr2m
Finding: F027
Auto approve: 1