Here’s something you don’t see happening too often. Both streams 1.5 and 1.6/1.7 suffering from the same issue. In this case it’s something that you really should pay attention to as the devs have discovered that the random number generator used during password recovery is not quite up to scratch.
- Project: Joomla!
- SubProject: All
- Severity: High
- Versions: 1.7.2 and all 1.6.x versions
- Exploit type: Password Change
- Reported Date: 2011-October-28
- Fixed Date: 2011-November-14
“Weak random number generation during password reset leads to possibility of changing a user’s password.”
This release also fixes an XSS vulnerability. Be sure to upgrade to 1.7.3 as soon as you can.
The exact same issue affects all j1.5 versions up to 1.5.24 so upgrade websites on that service to 1.5.25 as soon as you can.