It is difficult to speculate on the possible vulnerability and administrators should take measured steps to prepare for the release of the upcoming patch, rather than hyperventilate. However, Jooma!'s reticence to publish details before patches are issued combined with its description of the bug as critical suggests the problem allows either data siphoning bug or server compromise.
If you're using it, forget your production tomorrow. Best get it patched immediately. I never got along with Joomla!, though I tried it a couple of times. It and I just don't think alike.