Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI1Z20tNHA1dy1wcTJw
Remote code execution in verot/class.upload.php
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
Permalink: https://github.com/advisories/GHSA-r5gm-4p5w-pq2pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI1Z20tNHA1dy1wcTJw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-r5gm-4p5w-pq2p, CVE-2019-19576
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-19576
- https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124
- https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1
- https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2
- https://github.com/jra89/CVE-2019-19576
- https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3
- https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4
- https://medium.com/@jra8908/cve-2019-19576-e9da712b779
- https://www.verot.net
- https://www.verot.net/php_class_upload.htm
- http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html
- https://github.com/advisories/GHSA-r5gm-4p5w-pq2p
Blast Radius: 20.7
Affected Packages
packagist:verot/class.upload.php
Dependent packages: 28Dependent repositories: 128
Downloads: 615,370 total
Affected Version Ranges: >= 2.0.0, < 2.0.4, < 1.0.3
Fixed in: 2.0.4, 1.0.3
All affected versions: 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3
All unaffected versions: 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6