Joomla has released the new version Joomla 3.6.4 that fixes two critical account creation vulnerabilities affecting the popular CMS.
Recently we discussed cyber attacks in the wild leveraging on compromised websites running Joomla CMS. For example, in February, security experts observed a spike in the number of compromised Joomla-base websites used in Admedia attacks.
This week a new release of the Joomla CMS was released, Joomla 3.6.4 version, and fixes two critical account creation vulnerabilities.
Both vulnerabilities have been rated high severity, the developers at the team fixed both in a few days.
The first flaw, tracked as CVE-2016-8870, could be exploited by an attacker to register on a website even when the registration has been disabled. The vulnerability affects the Joomla core in versions 3.4.4 through 3.6.3.
“Inadequate checks allows for users to register on a site when registration has been disabled.” states the description of the flaw published by Joomla.
The second flaw, tracked as CVE-2016-8869, can be exploited by users to register on a website, but with elevated privileges.
“Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.” states the description of the flaw published by Joomla.
The flaw was reported by Davide Tampellini on October 21, is caused by incorrect use of unfiltered data. Joomla versions affected ranges from 3.4.4 through 3.6.3.
The Joomla! Security Strike Team (JSST) urges administrators of websites running the popular CMS to update and patch their installations as soon as possible.
Now that the flaws have been publicly disclosed, crooks will try to exploit them in order to compromise websites and use them for illegal activities, for this reason, it is essential to urgently apply the updates.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.