Joomla has patched a pair of vulnerabilities in its CMS platforms that if left unfixed would allow attackers to create admin accounts and elevate privileges, respectively.
Both flaws were rated with “High” severity ratings and existed in Joomla CMS versions 3.4.4 through 3.6.3, according to a pair of Oct. 25 security advisories.
The elevated privilege flaw, CVE-2016-8869, is caused by the incorrect use of unfiltered data allowing users to register on a site with elevated privileges and the account creation flaw, CVE-2016-8870, is caused by inadequate checks which allow users to register on a site when registration has been disabled. The account creation flaw was discovered by independent researcher Demis Palma on Oct. 18 and Joomla researchers spotted the second flaw not long after, according to Softpedia.
In order to avoid exploitation of the flaws, users are encouraged to update to version 3.6.4. as unmatched systems could allow an attacker to take over Joomla CMS installations.