Critical Vulnerabilities in Joomla 3.4.4 and Above

In the popular content management system Joomla, two serious vulnerabilities have been discovered that can be exploited by an attacker to hack a website and, theoretically, gain full control of the server.

The first vulnerability is the Account Creation Vulnerability (CVE-2016-8870). Exploiting this flaw allows unauthorized creation of a CMS user account even if user registration is prohibited by settings. The second vulnerability, Elevated Privileges (CVE-2016-8869), allows for the creation of a privileged user (for example, an administrator with access to all data).

Currently, there are no details about the technical aspects of the discovered flaws; however, the high severity level assigned to these vulnerabilities suggests the possibility of mass hacks. Therefore, we recommend all users of Joomla versions from 3.4.4 to 3.6.3 to promptly update their CMS.

Detailed information about the update is available on the official project website Joomla.