An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targets the `registration.register` task.

According to its self-reported version number, the detected Joomla! application is affected by multiple vulnerabilities :

 - A flaw exists in the JFilterInput::isFileSafe() function due to improper validation of file types and extensions of uploaded files before placing them in a user-accessible path. An unauthenticated, remote attacker can exploit this issue, by uploading a specially crafted file using an alternative PHP extension and then requesting it, to execute arbitrary code with the privileges of the web service. Note that this issue affects versions 3.0.0 to 3.6.4. (CVE-2016-9836)

 - An information disclosure vulnerability exists in the Beez3 com_content article layout override due to inadequate access control list (ACL) checks. An authenticated, remote attacker can exploit this to disclose restricted content. Note that this issue affects versions 3.0.0 to 3.6.4. (CVE-2016-9837)

 - A privilege escalation vulnerability exists due to improper validation of form data before storing it in the session. An authenticated, remote attacker can exploit this, via a specially crafted request, to modify existing user accounts, such as resetting credentials or group assignments. (CVE-2016-9838)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The JSST and the Joomla! Security Center report : [20161201] - Core - Elevated Privileges Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments. [20161202] - Core - Shell Upload Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded. [20161203] - Core - Information Disclosure Inadequate ACL checks in the Beez3 com_content article layout override enables a user to view restricted content.

According to its self-reported version number, the Joomla! installation running on the remote web server is prior to 3.6.5. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in the JFilterInput::isFileSafe() function     due to improper validation of file types and extensions     of uploaded files before placing them in a     user-accessible path. An unauthenticated, remote     attacker can exploit this issue, by uploading a     specially crafted file using an alternative PHP     extension and then requesting it, to execute arbitrary     code with the privileges of the web service. Note that     this issue affects versions 3.0.0 to 3.6.4.
    (CVE-2016-9836)

  - An information disclosure vulnerability exists in the     Beez3 com_content article layout override due to     inadequate access control list (ACL) checks. An     authenticated, remote attacker can exploit this to     disclose restricted content. Note that this issue     affects versions 3.0.0 to 3.6.4. (CVE-2016-9837)

  - A privilege escalation vulnerability exists due to     improper validation of form data before storing it in     the session. An authenticated, remote attacker can     exploit this, via a specially crafted request, to modify     existing user accounts, such as resetting credentials or     group assignments. (CVE-2016-9838)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
98413	Joomla! 1.6.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98412	Joomla! 1.7.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98411	Joomla! 2.5.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98410	Joomla! 3.0.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98409	Joomla! 3.1.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98408	Joomla! 3.2.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98406	Joomla! 3.3.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98405	Joomla! 3.4.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98404	Joomla! 3.5.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98403	Joomla! 3.6.x < 3.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
96059	FreeBSD : Joomla! -- multiple vulnerabilities (624b45c0-c7f3-11e6-ae1b-002590263bf5)	Nessus	FreeBSD Local Security Checks	critical
95916	Joomla! < 3.6.5 Multiple Vulnerabilities	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2016-9838

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical