PT-2019-15893 · Open Source Matters+1 · Joomla!+1
Jinny Ramsmark
·
Published
2019-12-17
·
Updated
2020-02-28
·
CVE-2019-19634
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
class.upload.php versions 1.0.0 through 1.0.3
class.upload.php versions 2.0.0 through 2.0.4
Description
The issue is related to the omission of .pht from the set of dangerous file extensions in class.upload.php, which is similar to a previously known issue. This affects products that use this class, such as the K2 extension for Joomla.
Recommendations
For class.upload.php versions 1.0.0 through 1.0.3, update to a version that includes .pht in the set of dangerous file extensions.
For class.upload.php versions 2.0.0 through 2.0.4, update to a version that includes .pht in the set of dangerous file extensions.
As a temporary workaround, consider manually adding .pht to the set of dangerous file extensions to prevent potential exploitation.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Joomla!
K2