class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.Referenceshttps://www.verot.net/php_class_upload.htmhttps://www.verot.nethttps://github.com/verot/class.upload.php/compare/2.0.3...2.0.4https://github.com/verot/class.upload.php/commit/5a7505ddec956fdc9e9c071ae5089865559174f1https://github.com/verot/class.upload.php/compare/1.0.2...1.0.3https://github.com/verot/class.upload.php/commit/db1b4fe50c1754696970d8b437f07e7b94a7ebf2https://github.com/getk2/k2/commit/d1344706c4b74c2ae7659b286b5a066117155124https://github.com/jra89/CVE-2019-19576https://medium.com/%40jra8908/cve-2019-19576-e9da712b779http://packetstormsecurity.com/files/155577/Verot-2.0.3-Remote-Code-Execution.html
