VDB
CVE-2019-13464
CVE-2019-13464
PUBLISHED
An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid.
EPSS 0.24% · 46.8th percentile
Risk Scores
EPSS Score
0.24%
46.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:25.10 | modsecurity | 3.0.14-1build1, 3.0.14-1, 3.0.13-1 |
| Ubuntu:20.04:LTS | modsecurity | 3.0.3-1, 3.0.4-1build1, 0 |
| Ubuntu:22.04:LTS | modsecurity | 0, 3.0.4-2, 3.0.6-1 |
| Ubuntu:18.04:LTS | modsecurity-crs | 0, 3.0.0-3, 3.0.2-1 |
| Ubuntu:24.04:LTS | modsecurity | 3.0.12-1.1build1, 3.0.12-1, 3.0.12-1.1build2 |
Timeline
- Jul 9, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-13464 third-party-advisory
- https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1386 third-party-advisory
- https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1391 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-13464 third-party-advisory