RelateIQ: Resubmitted with POC #18685 Password reset CSRF

2014-07-01T18:06:26
ID H1:18698
Type hackerone
Reporter shahmeer-amir
Modified 2014-09-16T17:46:11

Description

Hey there I found out that an attacker can use the password reset link to forge requests because there is no CSRF token in that particular request to validate that request. You should always have a CSRF token in the password reset request.