CVE-2019-19634

critical

Description

class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

References

https://medium.com/%40jra8908/cve-2019-19634-arbitrary-file-upload-in-class-upload-php-ccaf9e13875e

https://github.com/verot/class.upload.php/blob/2.0.4/src/class.upload.php#L3068

https://github.com/jra89/CVE-2019-19634

Details

Source: Mitre, NVD

Published: 2019-12-17

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.04153

Detections

Analytics