A flaw in the reset token validation mechanism allows
for non-validating tokens to be forged. This will allow
an unauthenticated, unauthorized user to reset the password
of the first enabled user (lowest id). Typically, this is
an administrator user. Note, that changing the first users
username may lessen the impact of this exploit (since the
person who changed the password does not know the login
associated with the new password). However, the only way
to completely rectify the issue is to upgrade to 1.5.6
(or patch the /components/com_user/models/reset.php file).