Joomla! updates close security holes
The Joomla! open source CMS has been updated after an error in random number generation when resetting passwords was found that could be exploited by an attacker to change a user's password. The 1.5.x versions, 1.6.x versions and 1.7.x versions are affected. Joomla! 1.5.25 and 1.7.3 have been released to address the issue described by the developers as "high-risk". Another security issue in version 1.7.x, involving inadequate filtering of an unspecified field, which could be used for cross site scripting (XSS) attacks has also been addressed.
Versions of the 1.5.x and 1.7.x branches up to and including 1.5.24 and 1.7.2 are affected, as is the entire 1.6.x branch. The update also addresses more than 70 non-security-related bugs. All users are advised to upgrade. More details about the updates can be found in the 1.5.25 and 1.7.3 release announcements, as well as the Joomla! security advisories. Joomla! 1.5.25 and 1.7.3 are available to download from the project's site. Joomla! is licensed under the GPL and is sponsored by Open Source Matters, Inc., a non-profit organisation.
-  - Core - XSS Vulnerability, Joomla! security advisory for 1.6.x to 1.7.2 versions.
-  - Core - Password Change, Joomla! security advisory for 1.6.x to 1.7.2 versions.
-  - Core - Password Change, Joomla! security advisory for 1.5.x.