Arbitrary file upload in class.upload.php - CVE-2019-19576
Published: December 12, 2019 / Updated: June 17, 2021
Vulnerability identifier: #VU23560
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2019-19576
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Colin Verot
Affected software:
class.upload.php
class.upload.php
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file uploads in "class.upload.php" in "verot.net". A remote attacker can upload and execute arbitrary file on the server.
How to mitigate CVE-2019-19576
Install updates from vendor's website.
Sources
- https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124
- https://github.com/jra89/CVE-2019-19576
- https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1
- https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2
- https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3
- https://github.com/verot/class.upload.php/compare/2.0.3...2.0.
- https://www.verot.net/php_class_upload.htm