Vulnerability Details CVE-2019-19634
class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.15
EPSS Ranking 94.2%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/jra89/CVE-2019-19634
- https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068
- https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e
- https://github.com/jra89/CVE-2019-19634
- https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068
- https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e
Products affected by CVE-2019-19634
-
cpe:2.3:a:getk2:k2:-
-
cpe:2.3:a:getk2:k2:2.10.1
-
cpe:2.3:a:verot_project:verot:1.0.0
-
cpe:2.3:a:verot_project:verot:1.0.1
-
cpe:2.3:a:verot_project:verot:1.0.2
-
cpe:2.3:a:verot_project:verot:2.0.0
-
cpe:2.3:a:verot_project:verot:2.0.1
-
cpe:2.3:a:verot_project:verot:2.0.2
-
cpe:2.3:a:verot_project:verot:2.0.3