Hi.
No check parameter forgot-password
in /apps/io.ox/core/boot/form.js:
function n() {
$("#io-ox-password-forget-form").remove();
var a = _.url.hash("forgot-password") || p.forgotPassword;
a ? $("#io-ox-forgot-password").find("a").attr("href", a) : ($("#io-ox-forgot-password").remove(), $("#io-ox-login-store").toggleClass("col-sm-6 col-sm-12"))
}
malicious code injection