CVE-2008-3681
published 2008-08-14CVE-2008-3681: components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first…
PriorityP273high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.40%
94.8th percentile
components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first enabled user (lowest id)" password, typically for the administrator.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | com_user | — | — |
| joomla | com_user | — | — |
| joomla | com_user | — | — |
| joomla | com_user | — | — |
| joomla | com_user | — | — |
| joomla | com_user | — | — |
| joomla | joomla | — | — |
| joomla | joomla | — | — |
| joomla | joomla | — | — |
| joomla | joomla | — | — |
| joomla | joomla | — | — |
| joomla | joomla | — | — |
| joomla | joomla | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to index.php?option=com_user&view=reset&layout=confirm containing a single quote (') as the token field value — this is the exploit trigger for the SQL injection bypass. ↗
- →Detect SQL injection in the activation token parameter: the vulnerable query concatenates user input directly — look for requests where the token value is a single quote or causes the WHERE clause to evaluate to an empty string match. ↗
- ·The vulnerability exists specifically in Joomla! 1.5.x versions prior to the patch; the vulnerable code path is in the com_user component's reset password confirmation flow. ↗
- ·CVE-2008-4102 (weak PRNG seed for mt_rand) is a distinct but related vulnerability in the same Joomla 1.5 codebase affecting password reset tokens; do not conflate with CVE-2008-3681 (SQL injection token bypass). ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7vxv-78cg-w3q2: components/com_user/models/reset
ghsa_unreviewed·2022-05-02
CVE-2008-3681 [HIGH] GHSA-7vxv-78cg-w3q2: components/com_user/models/reset
components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first enabled user (lowest id)" password, typically for the administrator.
GHSA
GHSA-cp48-2wcf-rx78: Joomla! 1
ghsa_unreviewed·2022-05-02·CVSS 7.5
CVE-2008-4102 [HIGH] GHSA-cp48-2wcf-rx78: Joomla! 1
Joomla! 1.5 before 1.5.7 initializes PHP's PRNG with a weak seed, which makes it easier for attackers to guess the pseudo-random values produced by PHP's mt_rand function, as demonstrated by guessing password reset tokens, a different vulnerability than CVE-2008-3681.
VulnCheck
Joomla! components/com_user/models/reset.php First Enabled User Vulnerability
vulncheck·2008·CVSS 7.5
CVE-2008-3681 [HIGH] Joomla! components/com_user/models/reset.php First Enabled User Vulnerability
Joomla! components/com_user/models/reset.php First Enabled User Vulnerability
components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first enabled user (lowest id)" password, typically for the administrator.
Affected: Joomla! com_user
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/Joomla+user+password+reset+vulnerability+being+actively+exploited/4894/
Red Hat
awstats: Cross-site scripting (XSS) vulnerability
vendor_redhat·2008-06-23·CVSS 2.6
CVE-2008-3714 [LOW] CWE-79 awstats: Cross-site scripting (XSS) vulnerability
awstats: Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.
No detection rules found.
http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.htmlhttp://secunia.com/advisories/31457http://securityreason.com/securityalert/4157http://www.securityfocus.com/bid/30667http://www.securitytracker.com/id?1020687https://exchange.xforce.ibmcloud.com/vulnerabilities/44430https://www.exploit-db.com/exploits/6234http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.htmlhttp://secunia.com/advisories/31457http://securityreason.com/securityalert/4157http://www.securityfocus.com/bid/30667http://www.securitytracker.com/id?1020687https://exchange.xforce.ibmcloud.com/vulnerabilities/44430https://www.exploit-db.com/exploits/6234
2008-08-14
Published
Exploited in the wild