{"id":"CVE-2019-19502","details":"Code injection in pluginconfig.php in Image Uploader and Browser for CKEditor before 4.1.9 allows remote authenticated users to execute arbitrary PHP code.","modified":"2026-05-18T16:59:38.149154Z","published":"2019-12-02T16:15:12.470Z","references":[{"type":"WEB","url":"https://visat.me/security/cve-2019-19502/"},{"type":"ADVISORY","url":"https://github.com/xsmo/Image-Uploader-and-Browser-for-CKEditor/compare/4.1.8...v4.1.9"},{"type":"ADVISORY","url":"https://github.com/xsmo/Image-Uploader-and-Browser-for-CKEditor/pull/11"},{"type":"FIX","url":"https://github.com/xsmo/Image-Uploader-and-Browser-for-CKEditor/commit/c293d38c8b99444e775d94c1af50c9676c6544d2"},{"type":"FIX","url":"https://github.com/xsmo/Image-Uploader-and-Browser-for-CKEditor/pull/11/commits/5c7a6b0e10504f08e2f50655541b767e276ce749"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xsmo/image-uploader-and-browser-for-ckeditor","events":[{"introduced":"0"},{"fixed":"c31cbdb074d7fdd544f78e7469d1b68b8e9333aa"},{"fixed":"c293d38c8b99444e775d94c1af50c9676c6544d2"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"4.1.9"}],"cpe":"cpe:2.3:a:maleck:image_uploader_and_browser_for_ckeditor:*:*:*:*:*:*:*:*"}}],"versions":["4.1.8","4.1.7","4.1.6","4.1.5","4.1.3","4.1","v4.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-19502.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}