cbcvebase.
CVE-2008-3681
published 2008-08-14

CVE-2008-3681: components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first…

PriorityP273high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.40%
94.8th percentile
components/com_user/models/reset.php in Joomla! 1.5 through 1.5.5 does not properly validate reset tokens, which allows remote attackers to reset the "first enabled user (lowest id)" password, typically for the administrator.

Affected

13 ranges
VendorProductVersion rangeFixed in
joomlacom_user
joomlacom_user
joomlacom_user
joomlacom_user
joomlacom_user
joomlacom_user
joomlajoomla
joomlajoomla
joomlajoomla
joomlajoomla
joomlajoomla
joomlajoomla
joomlajoomla

Detection & IOCsextracted from sources · hover to see the quote

urltarget.com/index.php?option=com_user&view=reset&layout=confirm
path/components/com_user/controller.php
path/components/com_user/models/reset.php
  • Monitor HTTP POST requests to index.php?option=com_user&view=reset&layout=confirm containing a single quote (') as the token field value — this is the exploit trigger for the SQL injection bypass.
  • Detect SQL injection in the activation token parameter: the vulnerable query concatenates user input directly — look for requests where the token value is a single quote or causes the WHERE clause to evaluate to an empty string match.
  • ·The vulnerability exists specifically in Joomla! 1.5.x versions prior to the patch; the vulnerable code path is in the com_user component's reset password confirmation flow.
  • ·CVE-2008-4102 (weak PRNG seed for mt_rand) is a distinct but related vulnerability in the same Joomla 1.5 codebase affecting password reset tokens; do not conflate with CVE-2008-3681 (SQL injection token bypass).

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.