If you’re running a website on Joomla, you should update to the newly released 3.6.5 version as soon as possible – or risk your site being hijacked.
The newest version of the popular CMS has been released on Tuesday (December 13), and it fixes three vulnerabilities, several bugs, and includes a number of new security hardening mechanisms.
Among the fixed vulnerabilities is one (CVE-2016-9838) that is especially dangerous, as it could allow attackers to take over vulnerable websites and do what they want with them.
As explained by the Joomla Project Team: “Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.”
Worse yet, the vulnerability has been there since version 1.6.0 (released In early 2011), and affects every subsequent version up until and including 3.6.4.
Effectively, every Joomla installation out there that hasn’t been updated in the last two days is wide open to attacks.
And judging by the speed at which previous critical Joomla vulnerabilities have been weaponized, we are mere days if not hours away from active attacks hammering this flaw.
This security update also includes additional security hardening mechanisms that restrict a user’s ability to make potentially damaging configuration changes.