Community Builder possible Security Issue

RE: www.joomlapolis.com/forum/153-professional-member-support/233881-community-builder-image-display-format

Rather than start a new item I'm replying within this thread because the update I performed was dine on July 8.

Was there a bug in Community Builder that may have allowed 2 illegal additions to our registered user list on June 30 and 1 on July 6? I suspect the errant entries originated in Poland. I am hoping that the update I performed on July 8 has plugged the hole. I cannot imagine how else this is happening. We have the latest Joomla update and all extensions are up to date. We have an SSL Certificate and SiteLock protection which has not detected any malware issues or other problems.

If there was a bug that allowed this problem and the update did not fix it will the new version include the fix?

I changed user names and passwords after June 30 and it happens again anyway.

There is no vulnerabilities in CB that we are aware of. If you did not lock down 3rd party or Joomla registration forms they likely registered outside of CB allowing them to bypass CB confirm and approval, but they wouldn't of been able to use CB login or many of CBs functionality. We released a plugin called CB Core Redirect that closes Joomla user component access and that is now built into CB 2.0.

We also provide CB AntiSpam to help protect against spam registrations and login attempts.

If you do have a vulnerability it's likely 3rd party registration that you didn't turn off. This could be core Joomla registration or a 3rd party extension that also has its own registration. If you're using CB Connect it will by default bypass approval and confirmation as well, but that's no vulnerability.