GHSA-2gc7-w4hw-rr2m

Source

https://github.com/advisories/GHSA-2gc7-w4hw-rr2m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-2gc7-w4hw-rr2m/GHSA-2gc7-w4hw-rr2m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2gc7-w4hw-rr2m

Aliases

CVE-2019-19634

Published

2020-02-28T01:10:17Z

Modified

2023-11-08T04:01:28.854550Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

class.upload.php in verot.net omits .pht from the set of dangerous file extensions

Details

class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-02-25T16:03:36Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-434"
    ]
}

References

Affected packages

Packagist / verot/class.upload.php

Package

Name: verot/class.upload.php
Purl: pkg:composer/verot/class.upload.php

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.3

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

Packagist / verot/class.upload.php

Package

Name: verot/class.upload.php
Purl: pkg:composer/verot/class.upload.php

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Last affected

2.0.4

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4