====================================================================

                                CERT-Renater

                      Note d'Information No. 2012/VULN157
____________________________________________________________________

DATE                : 29/03/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Joomla! versions 1.5.x
                       prior to 1.5.25.

======================================================================
http://developer.joomla.org/security/news/9-security/10-core-security/396-20120305-core-password-change
http://developer.joomla.org/security/news/9-security/10-core-security/397-20120306-core-information-disclosure
______________________________________________________________________


Security News
[20120305] - Core - Password Change

    * Project: Joomla!
    * SubProject: All
    * Severity: High
    * Versions: 1.5.25 and all earlier 1.5.x versions
    * Exploit type: Password Change
    * Reported Date: 2012-March-8
    * Fixed Date: 2012-March-27

Description

Insufficient randomness leads to password reset vulnerability.


Affected Installs

Joomla! versions 1.5.25 and all earlier 1.5.x versions


Solution

Upgrade to version 1.5.26

Reported by George Argyros and Aggelos Kiayias


Contact

The JSST at the Joomla! Security Center.

______________________________________________________________________


Security News
[20120306] - Core - Information Disclosure

    * Project: Joomla!
    * SubProject: All
    * Severity: Low
    * Versions: 1.5.25 and all earlier 1.5.x versions
    * Exploit type: Information Disclosure
    * Reported Date: 2012-January-7
    * Fixed Date: 2012-March-27


Description

Inadequate permission checking allows unauthorised viewing of
administrative back end information.


Affected Installs

Joomla! versions 1.5.25 and all earlier 1.5.x versions


Solution

Upgrade to version 1.5.26

Reported by Cyrille Barthelemy


Contact

The JSST at the Joomla! Security Center.


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================