The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set.
The password and username reset mechanism in Joomla! creates links with an HTTP prefix instead of HTTPS in the case of encrypted connections, if the 'Force SSL' flag is not explicitly set in the configuration. This means that reset tokens are transmitted over an unencrypted channel, allowing them to be intercepted using man-in-the-middle techniques. An attacker monitoring network traffic can obtain the token and take control of the user account.
An attacker can intercept a password reset token or username sent via an unencrypted HTTP link and gain unauthorized access to the account of any user who initiated the reset process.
Apply patches available from the vendor according to the references (https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html). As a temporary measure, it is recommended to explicitly enable the 'Force SSL' flag in the Joomla! configuration to enforce the generation of reset links using HTTPS.
Joomla! — versions indicated in the vendor's references (security bulletin 20260518)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJoomla Joomla\!
APPJoomla3.0.0 – 5.4.6 (bez)6.0.0 – 6.1.1 (bez)
Related vulnerabilities
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass ...
SQL injection w metodzie quoteNameStr pakietu bazy danych Joomla Framework
Joomla! — cache poisoning przez dowolne parametry w paginacji
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the sel...
An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a s...