User can obtain JWT token even if account is disabled

Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. Someone who never had an account cannot exploit this vulnerability. The fix ensures tokens are generated only for enabled...

VulnCheck KEV: CVE-2008-3681

components/comuser/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first enabled user lowest id" password, typically for the administrator...