CVE-2019-19576
NVD: class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! NVD: and other products, omits .phar from the set of dangerous file extensions. OSV: class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla!
9.8 Severity
CRITICAL EPSS
0.2618 (98) KEV
-
Source-published summary
NVD: class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! NVD: and other products, omits .phar from the set of dangerous file extensions. OSV: class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla!
Possible impact
This critical severity issue needs human triage to confirm exposure, affected versions, and vendor guidance for critical severity review.
Affected context
vendor/product: verot_project / verot
Remediation / advisory
Remediation reference present; patch status requires confirmation in the linked advisory.
Why it matters
This critical severity issue needs human triage to confirm exposure, affected versions, and vendor guidance for critical severity review.; CVSS 9.8 (CRITICAL); EPSS percentile 98; not listed in KEV; Remediation reference present; patch status requires confirmation in the linked advisory; sources: NVD, OSV, Vendor Advisory.
What to verify
Confirm affected product/version, vendor advisory, patch or mitigation, and exposure.
Exposure hint
exposure unknown
Impact tags
Urgency reasons
Source-derived note
Summary derived from NVD / OSV / Vendor Advisory description; unsafe procedural detail is not shown.
Redaction metadata
- source summary used
- True
- fallback summary used
- False
- unsafe procedural detail present
- false
- raw source displayed
- false
- public summary redacted
- true
Remediation handoff
Public-safe static handoff for human/Codex remediation planning. Scan, patch, external execution, and auto remediation are disabled.
Safety note
This radar shows source-published defensive context only. Exploit procedures, exploit strings, scanner commands, and auto-remediation are not provided.
Official references
- https://nvd.nist.gov/vuln/detail/CVE-2019-19576
- https://osv.dev/vulnerability/CVE-2019-19576
- http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html
- https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124
- https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1
- https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2
- https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3
- https://github.com/verot/class.upload.php/compare/2.0.3...2.0.4
- https://www.verot.net/php_class_upload.htm