CVE-2019-19576

high-risk

Published 2019-12-04

class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.

Do I need to act?

50.6% chance of exploitation in next 30 days

EPSS score — higher than 49% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

47749

Fix available

Upgrade to: d1344706c4b74c2ae7659b286b5a066117155124, db1b4fe50c1754696970d8b437f07e7b94a7ebf2, bde864563f4fefa4a2f44993937f82effebb7e25, 5a7505ddec956fdc9e9c071ae5089865559174f1

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Verot

Affected Vendors

Verot Project Getk2

References (20)

Exploit http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.ht...

Patch https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124

Exploit https://github.com/jra89/CVE-2019-19576

Patch https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae508986...

Patch https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7...

Patch https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3

Patch https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4

https://medium.com/%40jra8908/cve-2019-19576-e9da712b779

Product https://www.verot.net

Vendor Advisory https://www.verot.net/php_class_upload.htm