[20161003] – Core – Account Modifications

  • Project: Joomla!
  • SubProject: CMS
  • Severity: High
  • Versions: 3.4.4 through 3.6.3
  • Exploit type: Account Modifications
  • Reported Date: 2016-October-26
  • Fixed Date: 2016-October-25
  • CVE Number: CVE-2016-9081

Description

Incorrect use of unfiltered data allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

Affected Installs

Joomla! CMS versions 3.4.4 through 3.6.3

Solution

Upgrade to version 3.6.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Joomla! Security Strike Team

[20161002] – Core – Elevated Privileges

  • Project: Joomla!
  • SubProject: CMS
  • Severity: High
  • Versions: 3.4.4 through 3.6.3
  • Exploit type: Elevated Privileges
  • Reported Date: 2016-October-21
  • Fixed Date: 2016-October-25
  • CVE Number: CVE-2016-8869

Description

Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.

Affected Installs

Joomla! CMS versions 3.4.4 through 3.6.3

Solution

Upgrade to version 3.6.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Davide Tampellini

[20161001] – Core – Account Creation

  • Project: Joomla!
  • SubProject: CMS
  • Severity: High
  • Versions: 3.4.4 through 3.6.3
  • Exploit type: Account Creation
  • Reported Date: 2016-October-18
  • Fixed Date: 2016-October-25
  • CVE Number: CVE-2016-8870

Description

Inadequate checks allows for users to register on a site when registration has been disabled.

Affected Installs

Joomla! CMS versions 3.4.4 through 3.6.3

Solution

Upgrade to version 3.6.4

Contact

The JSST at the Joomla! Security Centre.

Reported By: Demis Palma

[20160802] – Core – XSS Vulnerability

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 1.6.0 through 3.6.0
  • Exploit type: XSS Vulnerability
  • Reported Date: 2016-February-05
  • Fixed Date: 2016-August-03
  • CVE Number: Requested

Description

Inadequate escaping leads to XSS vulnerability in mail component.

Affected Installs

Joomla! CMS versions 1.6.0 through 3.6.0

Solution

Upgrade to version 3.6.1

Contact

The JSST at the Joomla! Security Centre.

Reported By: Dingjie (Daniel) Yang