7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.099 Low
EPSS
Percentile
94.9%
Joomla project reports:
A flaw in the reset token validation mechanism allows
for non-validating tokens to be forged. This will allow
an unauthenticated, unauthorized user to reset the password
of the first enabled user (lowest id). Typically, this is
an administrator user. Note, that changing the first users
username may lessen the impact of this exploit (since the
person who changed the password does not know the login
associated with the new password). However, the only way
to completely rectify the issue is to upgrade to 1.5.6
(or patch the /components/com_user/models/reset.php file).