vulnerability

FreeBSD: VID-624b45c0-c7f3-11e6-ae1b-002590263bf5 (CVE-2016-9836): Joomla! -- multiple vulnerabilities

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Dec 22, 2016

Added

Dec 22, 2016

Modified

Jun 15, 2026

Description

The file scanning mechanism of JFilterInput::isFileSafe() in Joomla! CMS before 3.6.5 does not consider alternative PHP file extensions when checking uploaded files for PHP content, which enables a user to upload and execute files with the `.php6`, `.php7`, `.phtml`, and `.phpt` extensions. Additionally, JHelperMedia::canUpload() did not blacklist these file extensions as uploadable file types.

Solution

freebsd-upgrade-package-joomla3

References

CVE-2016-9836
https://attackerkb.com/topics/CVE-2016-9836
CWE-284
EUVD-EUVD-2016-10636
https://euvd.enisa.europa.eu/vulnerability/EUVD-2016-10636

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report