poss bug in the create security pages wizard
Scenario - registration pages created using default settings in DataBridge's (v1.22) wizard.
Selecting SH1 for password encryption.
If when requesting a password reset in forgotpassword.php, the email is sent to the requester.
The requestor clicks on link in email which opens the password reset page.
If the user enters a different email address, such as one that already exists in the DB (not theirs) , on submitting to reset password, the typed email address overwrites the email address in the record being edited in the DB.
Firstly, do you concur?
Can you update the wizard to prevent a different email address from being entered by the requester during the password reset process - whether malicious or not?