Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Invalidate password reset token on email change #320
When a user changes their email ID any password reset tokens that are valid for that user should be invalidated.
This is a very low risk issue since the reset link invalidates in an hour and requires that the email of the user gets compromised (which is out of our control).
This vulnerability has been reported through the Bug bounty program