cbcvebase.
CVE-2019-19576
published 2019-12-04

CVE-2019-19576: class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
26.18%
97.7th percentile
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.

Affected

7 ranges
VendorProductVersion rangeFixed in
joomlaworksk2<= 2.10.1
verotclass.upload.php>= 0 < 1.0.31.0.3
verotclass.upload.php0 – 1.0.3
verotclass.upload.php>= 2.0.0 < 2.0.42.0.4
verotclass.upload.php2.0.0 – 2.0.4
verot_projectverot< 1.0.31.0.3
verot_projectverot>= 2.0.0 < 2.0.42.0.4

Detection & IOCsextracted from sources · hover to see the quote

filenameimage.jpg.phar
filenameimage.jpg.phar
  • Flag file uploads where the final extension is .phar, especially when the filename also contains an image extension (e.g., .jpg.phar), as class.upload.php omits .phar from its dangerous extension blocklist.
  • Detect polyglot JPEG/.phar files by inspecting uploaded files for a valid JPEG header (0xFF 0xD8) combined with embedded PHP code — the exploit searches for the JPEG SOS marker (0xFF 0xDA) and injects PHP payload bytes after it.
  • Alert on web server requests to uploaded files with a .phar extension being executed via the PHP runtime, particularly under Joomla! K2 extension upload directories.
  • ·The bypass is version-specific: class.upload versions before 1.0.3 and 2.x before 2.0.4 are affected. Patched versions add .phar to the dangerous extensions list, so the upload block only applies to unpatched deployments.
  • ·The exploit relies on the target server treating .phar files as executable PHP. If the web server is not configured to execute .phar via the PHP handler, the RCE payload will not execute even if the file is successfully uploaded.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.