Arbitrary File Upload

Affecting verot/class.upload.php package, versions <1.0.3 || >=2.0.0, <2.0.4

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

verot/class.upload.php is a PHP class that can be used to upload files and manipulate images very easily.

Affected versions of this package are vulnerable to Arbitrary File Upload. class.upload.php in verot.net before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.

Remediation

Upgrade verot/class.upload.php to version 1.0.3, 2.0.4 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Credit
Unknown
CVE
CVE-2019-19576
CWE
CWE-434
Snyk ID
SNYK-PHP-VEROTCLASSUPLOADPHP-536785
Disclosed
04 Dec, 2019
Published
04 Dec, 2019