It is possible to reset password using /vulnerabilities/csrf/ form for Low and Medium security settings just by entering any word in both the fields. This is not an issue as such. But causes inconvenience when running automated application vulnerablity scan - the scanner would try different values for each form ,including this one, and would lock itself out of the app by changing the password.
Not a developer on this project but:
Do you have a recommended fix? Making it less trivial/checking a token kind of defeats the purpose of a CSRF problem. May be more of an issue with the scanner itself in my opinion.
For demonstration and testing purposes making it something more trivial should be fine. It just has to be something which does not actually change the behaviour of the application or limit users access to the application.
I would suggest to have a vairable called Alias, which is visible on the page, and use the CSRF form to update it. Behaviour similar to current can be implemented for updating it with various security level wherein just entering the new Alias should be fine for Low and Medium and entering the current and the new for Hard.