Recently we discussed cyber attacks in the wild leveraging on compromised websites running Joomla CMS. For example, in February, security experts observed a spike in the number of compromised Joomla-base websites used in Admedia attacks.
This week a new release of the Joomla CMS was released, Joomla 3.6.4 version, and fixes two critical account creation vulnerabilities.
Both vulnerabilities have been rated high severity, the developers at the team fixed both in a few days.
The first flaw, tracked as CVE-2016-8870, could be exploited by an attacker to register on a website even when the registration has been disabled. The vulnerability affects the Joomla core in versions 3.4.4 through 3.6.3.
“Inadequate checks allows for users to register on a site when registration has been disabled.” states the description of the flaw published by Joomla.
The second flaw, tracked as CVE-2016-8869, can be exploited by users to register on a website, but with elevated privileges.
“Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.” states the description of the flaw published by Joomla.
The flaw was reported by Davide Tampellini on October 21, is caused by incorrect use of unfiltered data. Joomla versions affected ranges from 3.4.4 through 3.6.3.
The Joomla! Security Strike Team (JSST) urges administrators of websites running the popular CMS to update and patch their installations as soon as possible.
Now that the flaws have been publicly disclosed, crooks will try to exploit them in order to compromise websites and use them for illegal activities, for this reason, it is essential to urgently apply the updates.
(Security Affairs – Joomla CMS, hacking)