CVE-2019-19576
28Vexday Risk Score
No sign of exploitation. It has a public proof of concept.
ssvc Attendepss 26%
from disclosure to weapon0 days
Published on NVDDec 4
1st PoCDec 4
exploitation probability
26%top 2% of all CVEs
observed exploitation
nono source reports it
3 public exploit(s)
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
Affected products
n/a · n/apublic PoCs found — 3
githubgithub.com/jra89/CVE-2019-19576★ 12cve_referencepacketstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/47749unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.htmlhttps://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124https://github.com/jra89/CVE-2019-19576https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4https://medium.com/%40jra8908/cve-2019-19576-e9da712b779https://www.verot.nethttps://www.verot.net/php_class_upload.htm