Recently, it was revealed that the CMS system has the account creation vulnerability, CVE-2016-8869, and privilege escalation vulnerability, CVE-2016-8870. A remote attacker can bypass security restrictions to create an account even if the registration is closed, escalate to administrator’s privileges, and thus remotely control the website system.
See the following for more information about the vulnerability.
CVE identifier
CVE-2016-8869/8870
Vulnerability name
Joomla! account creation vulnerability and privilege escalation vulnerability
Vulnerability description
The vulnerabilities allow a remote attacker to bypass security restrictions to create an account, escalate to administrator’s privileges, and thus remotely control the website system.
Affected scope
Joomla! 3.4.4 to 3.6.3
Vulnerability detection
Check whether the Joomla! installed on your website falls into the versions from 3.4.4 to 3.6.3.
How to fix or mitigate
Upgrade Joomla! to 3.6.4 or later.
Reference
[1]. http://www.cnvd.org.cn/flaw/show/CNVD-2016-10055
[2]. http://www.cnvd.org.cn/flaw/show/CNVD-2016-10056
[3]. https://www.seebug.org/vuldb/ssvid-92096
[4]. https://invisionpower.com/
[5]. http://windows.php.net/downloads/releases/archives/
[6]. http://karmainsecurity.com/KIS-2016-11
[7]. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6174
[8]. https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html
[0]. https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html