CVE-2019–19634 (Arbitrary file upload in class.upload.php)
--
class.upload.php <= 2.0.4 Arbitrary file upload
Vendor: https://www.verot.net/
Product: class.upload.php
PoC github: https://github.com/jra89/CVE-2019–19634
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019–19634
This is basically the exact same thing again as with CVE-2019–19576. I took another look after the patch was released and realized that there are other PHP extensions out there, in this case on Debian/Ubuntu with PHP5 that this library does not blacklist. So I installed PHP5 on Ubuntu and tested it, and the same thing went through. Both Verot and K2/JoomlaWorks have released patches and agreed to release this new CVE.
So this is a bit of a shorter text, but there are a bunch of more coming up (That are currently within the 90 days responsible disclosure timeline, plus some Vendors that have asked for extended time).









