CVE-2016-8870: Input Validation
First published: Fri Nov 04 2016(Updated: )
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Joomla | <=3.6.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_privesc
- http://www.securityfocus.com/bid/93876
- http://www.securitytracker.com/id/1037107
- http://www.securitytracker.com/id/1037108
- https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.html
- https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html
- https://github.com/joomla/joomla-cms/commit/bae1d43938c878480cfd73671e4945211538fdcf
- https://medium.com/@showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2#.rq4qh1v4r
- https://www.exploit-db.com/exploits/40637/
- https://medium.com/%40showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2#.rq4qh1v4r
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/joomla
- canonical/joomla
- version/joomla/3.6.3