CVE-2016-8869

Published: Nov 4, 2016Modified: May 6, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.

Affected (1)

Products: Joomla: Joomla!

Joomla

1 product

Joomla!

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Joomla Joomla!	Up to 3.6.3

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (16)

http://www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_privesc

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/93883

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037108

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.html

Source: cve@mitre.org

ExploitTechnical DescriptionThird Party Advisory

https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html

Source: cve@mitre.org

Vendor Advisory

https://github.com/joomla/joomla-cms/commit/bae1d43938c878480cfd73671e4945211538fdcf

Source: cve@mitre.org

Patch

https://medium.com/%40showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2#.rq4qh1v4r

Source: cve@mitre.org

https://www.exploit-db.com/exploits/40637/

Source: cve@mitre.org

ExploitThird Party Advisory

http://www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_privesc