The problem seems to be that the email validation required for resetting the password could be circumvented. There is no detailed information in the posts how, but likely either the validation hash was generated in a insecure fashion, or the email address input was not properly sanitized and allowed piggybacking (CCing) a 2nd email address to receive the confirmation email.
The problem seems to be that the email validation required for resetting the password could be circumvented. There is no detailed information in the posts how, but likely either the validation hash was generated in a insecure fashion, or the email address input was not properly sanitized and allowed piggybacking (CCing) a 2nd email address to receive the confirmation email.