9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-19634

GHSA ID

GHSA-2gc7-w4hw-rr2m

EPSS Score

0.94233%

CWE

CWE-434

Published

2/28/2020

Updated

1/9/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-19634

CVE-2019-19634: class.upload.php in verot.net omits .pht from the set of dangerous file extensions

class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-19634

GHSA ID

GHSA-2gc7-w4hw-rr2m

EPSS Score

0.94233%

CWE

CWE-434

Published

2/28/2020

Updated

1/9/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
verot/class.upload.php	composer	<= 1.0.3
verot/class.upload.php	composer	>= 2.0.0, <= 2.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from an incomplete dangerous file extension blacklist. The CVE description explicitly states '.pht' was omitted from the forbidden extensions, which is critical because Apache servers often execute .pht files as PHP scripts. While the exact function name isn't shown in provided code snippets, class.upload.php's security validation logic for uploaded files (commonly implemented in a check_security or similar method) would be responsible for extension validation. The GitHub advisory reference to line 3068 shows proximity to security-related variables like $no_script and MIME checks, strongly suggesting the extension validation occurs in this area. The high confidence comes from the direct correlation between the CVE's root cause (missing .pht in blacklist) and the extension validation function's responsibility.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l*ss.uplo**.p*p in v*rot.n*t *l*ss.uplo** t*rou** *.*.* *n* *.x t*rou** *.*.*, *s us** in t** K* *xt*nsion *or Jooml*! *n* ot**r pro*u*ts, omits .p*t *rom t** s*t o* **n**rous *il* *xt*nsions, * simil*r issu* to *V*-****-*****.

Reasoning

T** vuln*r**ility st*ms *rom *n in*ompl*t* **n**rous *il* *xt*nsion *l**klist. T** *V* **s*ription *xpli*itly st*t*s '.p*t' w*s omitt** *rom t** *or*i***n *xt*nsions, w*i** is *riti**l ****us* *p**** s*rv*rs o*t*n *x**ut* .p*t *il*s *s P*P s*ripts. W

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-19634: class.upload.php in verot.net omits .pht from the set of dangerous file extensions

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI