Patch/Configuration Management, Vulnerability Management

Joomla patches privilege elevation, account creation vulnerability

Joomla has patched a pair of vulnerabilities in its CMS platforms that if left unfixed would allow attackers to create admin accounts and elevate privileges, respectively.

Both flaws were rated with “High” severity ratings and existed in Joomla CMS versions 3.4.4 through 3.6.3, according to a pair of Oct. 25 security advisories.

The elevated privilege flaw, CVE-2016-8869, is caused by the incorrect use of unfiltered data allowing users to register on a site with elevated privileges and the account creation flaw, CVE-2016-8870, is caused by inadequate checks which allow users to register on a site when registration has been disabled. The account creation flaw was discovered by independent researcher Demis Palma on Oct. 18 and Joomla researchers spotted the second flaw not long after, according to Softpedia

In order to avoid exploitation of the flaws, users are encouraged to update to version 3.6.4. as unmatched systems could allow an attacker to take over Joomla CMS installations. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.