CVE-2019-19576

CRITICAL

verot.net class.upload <2.0.4 - Info Disclosure

Title source: llm

Description

class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.

Exploits (2)

exploitdb WORKING POC

by Jinny Ramsmark · phpwebappsphp

https://www.exploit-db.com/exploits/47749

View Code ZIP pw:eip

nomisec WORKING POC 12 stars

by jra89 · poc

https://github.com/jra89/CVE-2019-19576

View Code ZIP pw:eip

References (10)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html

[Patch, Third Party Advisory] https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124

[Exploit, Third Party Advisory] https://github.com/jra89/CVE-2019-19576

[Patch, Third Party Advisory] https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1

[Patch, Third Party Advisory] https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2

[Patch, Third Party Advisory] https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3

[Patch, Third Party Advisory] https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4

[Various Sources] https://medium.com/%40jra8908/cve-2019-19576-e9da712b779

[Product] https://www.verot.net

[Vendor Advisory] https://www.verot.net/php_class_upload.htm

Scores

CVSS v3 9.8

EPSS 0.5058

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (3)

getk2/k2 < 2.10.1

verot/class.upload.php 0 - 1.0.3Packagist

verot_project/verot < 1.0.3

Published Dec 04, 2019

Tracked Since Feb 18, 2026