edit-icon download-icon

[Vulnerability notice] CVE-2016-8869/8870: Account creation vulnerability and privilege escalation vulnerability in Joomla!

Last Updated: Apr 18, 2018

Recently, it was revealed that the CMS system has the account creation vulnerability, CVE-2016-8869, and privilege escalation vulnerability, CVE-2016-8870. A remote attacker can bypass security restrictions to create an account even if the registration is closed, escalate to administrator’s privileges, and thus remotely control the website system.

See the following for more information about the vulnerability.


CVE identifier

CVE-2016-8869/8870

Vulnerability name

Joomla! account creation vulnerability and privilege escalation vulnerability

Vulnerability description

The vulnerabilities allow a remote attacker to bypass security restrictions to create an account, escalate to administrator’s privileges, and thus remotely control the website system.

Affected scope

Joomla! 3.4.4 to 3.6.3

Vulnerability detection

Check whether the Joomla! installed on your website falls into the versions from 3.4.4 to 3.6.3.

How to fix or mitigate

Upgrade Joomla! to 3.6.4 or later.

Reference

[1]. http://www.cnvd.org.cn/flaw/show/CNVD-2016-10055
[2]. http://www.cnvd.org.cn/flaw/show/CNVD-2016-10056
[3]. https://www.seebug.org/vuldb/ssvid-92096
[4]. https://invisionpower.com/
[5]. http://windows.php.net/downloads/releases/archives/
[6]. http://karmainsecurity.com/KIS-2016-11
[7]. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6174
[8]. https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html
[0]. https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html

Thank you! We've received your feedback.