A vulnerability was reported in Joomla! 1.5 - 1.5.5. A remote user can reset the password of a certain account.

The password reset mechanism does not function properly. A remote user can reset the password for the first enabled user, which is typically the administrative user.

The vulnerability resides in 'com_user/models/reset.php'.

Marijke Stuivenberg reported this vulnerability.

More info can be found at www.securitytracker.com or joomla.org