GHSA-r5gm-4p5w-pq2p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r5gm-4p5w-pq2p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-r5gm-4p5w-pq2p/GHSA-r5gm-4p5w-pq2p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r5gm-4p5w-pq2p
- Aliases
- Published
- 2020-01-16T22:17:40Z
- Modified
- 2023-11-08T04:01:28.545932Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Remote code execution in verot/class.upload.php
- Details
-
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2020-01-16T22:17:24Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-434" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-19576
- https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124
- https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1
- https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2
- https://github.com/jra89/CVE-2019-19576
- https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3
- https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4
- https://medium.com/@jra8908/cve-2019-19576-e9da712b779
- https://www.verot.net
- https://www.verot.net/php_class_upload.htm
- http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html
Affected packages
Packagist / verot/class.upload.php
Package
- Name
- verot/class.upload.php
- Purl
- pkg:composer/verot/class.upload.php
Packagist / verot/class.upload.php
Package
- Name
- verot/class.upload.php
- Purl
- pkg:composer/verot/class.upload.php