Doesn't seem to be reported elsewhere on this forum, but Joomla 3.6.4 is a critical security release.
This update fixes a bug that allows a user to register on a website with elevated privileges.
Affects Joomla! 3.4.4 through 3.6.3
From the Joomla Website
Joomla! 3.6.4 is now available. This is a security release for the 3.x series of Joomla! which addresses two critical security vulnerabilities and a bug fix for two-factor authentication.
We strongly recommend that you update your sites immediately.
This release only contains the security fixes and bug fix; no other changes have been made compared to the Joomla! 3.6.3 release.
https://www.joomla.org/announcements/release-news/5679-revised-assessment-of-3-6-4-security-release.html
			
			
			
				And for those who can't update their Joomla 3.x website immediately to Joomla 3.6.4 for one or the other reason, there is a plugin in the Joomla extension directory which provides a temporary first aid security fix: https://extensions.joomla.org/extensions/extension/access-a-security/account-blocker (https://extensions.joomla.org/extensions/extension/access-a-security/account-blocker)
			
			
			
				Probably already too late for many. I have been asked to look at 3 sites over the weekend, all three of which had been found to have new administrators registered. There were four new admins on one of the sites, one of whom, according to the access logs, had been busy. Two of the sites were on J3.6.2 and one was on J3.6.3, the owners thought they would "leave it to the weekend" to update. I gave them some advice about security and suggested they revert to whatever backups they had and ensure that J! and all extensions were up to date before going back on-line.
So if you have not yet updated, check the user list!
			
			
			
				
It would be better if joomla did this as it would then benefit all users not just those of VM
Why dont you consider putting this to the joomla team.
Posting advisories on things that are related to operating systems seems somewhat out of scope (Dirty Cow)
			
			
			
				Only one of the sites I looked at was a VM site, so I agree that this should be a Joomla facility. All three had received frequent emails from the  System - Joomla! Update Notification plugin, so maybe that plugin could be adapted to also flag up a security warning to the site owner. Not a VM problem, though.
			
			
			
				Hi all,i can confirm that this is a real big vulnerability !
I had a customer site with 4 new administrator accounts in 1 day !
So use JJK github plugin or update IMMEDIATELY your web sites!!!!
			
			
			
				lol it is not a vulnerability, it is just an open door. ;-) or at least a leak!
I try to write an analogie. Imagine there is a villa with a firm door in the front, but the gate to the garden is open (opensource). You just go in the garden and there is a door to the basement. The door has an hole for the key, but not lock behind it. So it was enough, just to put in the finger and pull.
and remember when we had the theoretical vulnerability in the same area? We had a shitstorm. We got accused that we would not know how todo it right and all that shit. I told them already that time how to close the vulnerability.
A vulnerability is exactly a security bug, which is usually NOT exploitable. If it is easy to exploite, we call it a leak ! When we had our vulnerability, that you can set the "isAdmin" internal JUser variable to "true" by form, I told them, that this is a architectural security issue. The juser object must be safe by itself. It cant be true that a small error opens the whole installation. 
No, they insisted, that it is our error and they have todo nothing against it. One guy wrote at golem (german nerd news magazine), that joomla does not consider unexploitable vulnerabilities as problem. But that is a problem, because that way we never will have a secure system.
We often prevented security leaks of joomla by VM itself. But this time, it was not possible without extra plugin. The devs of community builder provided a plugin, which redirects any registration to CB and so any CB installation with active plugin is secure.
			
			
			
				It's a full vulnerability, the hacker can do administrator accounts and change the orders status.
If you prefer, i have do a screenshot before removing the accounts and protected the website.(i don't full manage this site)
			
			
			
				Patrick, just reread again, your answer makes not really sense.
			
			
			
				Sorry max, I'm perhaps not the best in english, but i know what is a vulnerability.
Check in all english dictonary, it's exactly one of the definition :  "Susceptible to attack" , "open to assault; difficult to defend:", SO when you say an open door, it's a vulnerability by definition !
 and the word mean the same in French, perhaps not in German ?
			
			
			
				"I've found a simple way to self register users to a Joomla website from 1.6 to the latest 3.6, despite the user auto registration feature has been disabled.
This allows an attacker to gain Registered access level (or a different level, based on the configuration) and to see content reserved to manually registered and trusted users."
- http://www.fox.ra.it/technical-articles/how-i-found-a-joomla-vulnerability.html
			
			
			
				The vulnerability was/is present in versions before 3.4.4 - but another bug stopped it from being exploited!  http://www.fionacoulter.com/blog/joomla-security-release-3-6-4-breaking-the-code-by-fixing-it/
			
			
			
				Exactly and when you can exploit a vulnerability, it is a leak. The joomla guys see it so, that they have not a problem with a vulnerability as long it cannot be exploited. If someone finds a way to exploit it, regardless how difficult, they handle it as security problem. But they do not handle not exploitable vulnerabilities. But not exploitable vulnerabilities means that the code is just waiting for a change, which makes the vulnerability exploitable.
Patrick, just think about why you say "To exploit a vulnerability"
https://en.wikipedia.org/wiki/Vulnerability_(computing)
As you can see, there are a lot definitions for it.
I just follow this definitions:
ENISA defines vulnerability in[10] as:
The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event [G.11] compromising the security of the computer system, network, application, or protocol involved.(ITSEC)
The Open Group defines vulnerability in[11] as:
The probability that threat capability exceeds the ability to resist the threat.
Because when I want to express that the vulnerability is exploitable, I can directly call it a leak. From my viewpoint it is just sloppy talk to mix vulnerability with leak.