components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first enabled user (lowest id)" password, typically for the administrator.
Software | From | Fixed in |
---|---|---|
Joomla / com_user | 1.5 | 1.5.x |
Joomla / com_user | 1.5.1 | 1.5.1.x |
Joomla / com_user | 1.5.2 | 1.5.2.x |
Joomla / com_user | 1.5.3 | 1.5.3.x |
Joomla / com_user | 1.5.4 | 1.5.4.x |
Joomla / com_user | 1.5.5 | 1.5.5.x |