If you're a Joomla user and haven't seen this yet, it is urgent that you know about this security issue.

I'm not sure why the word is slowly getting out on this but just got a notification email this morning regarding a MAJOR security vulnerability that still impacts v1.0.13.  Apparently you risk complete server vulnerability unless you logout from Admin while surfing other sites or executing upgrades of third party extensions.  Apparently this one allows the bad guys to add themselves as a new SuperAdmin if you happen upon a site that the hackers have already exploited or setup to create the exploit.  I will say that there is still some question about whether this is in fact a valid issue, or even an urgent one as it involves a lot of "ifs" and if you avoid them, no apparent problem.  And the best advice is don't surf while logged into Admin, and logout as soon as you can.  [Added:  Joomla core developers have now confirmed this is valid!]

The information can be found here: http://www.securityfocus.com/archive/1/485676/30/0/threaded

And more here: http://blog.phil-taylor.com/2008/01/02/joomla-1013-contains-a-csrf-vulnerbility/

And here: http://forum.joomla.org/index.php/topic,248109.0.html

The bad news is that this apparently also impacts/impacted the new 1.5 RC4 version but it seems that it has been resolved or is about to be resolved for that and should be fine when the stable version is finally released.  And it looks like they have started working the issue and plan on providing a fix for it that may come out in a 1.0.x update.