indico does not perform password reset in a secure manner. An attacker is able to trick the application into sending a password reset link to a user that points to a host controlled by the attacker instead of the actual Indico host via the Host header in the password reset function.