1. Email reset links where parameter pollution can make attacker reset password of any user by emailing the reset token to their email and the victim at the same time

2. Weak regex in new temporary passwords where an attacker predicts the pattern for the emailed new temporary passwords and uses brute-force or custom dictionaries for attacks.

3. Password reset token leak in referrer header on POST requests and accessing any other links on the password reset pages

4. Password reset codes brute-force where an attacker can brute-force the confirmation codes that are emailed or sent via SMS to users on password reset requests

5. Password reset pages user enumeration, XSS and SQL injections.

6. CSRF where an attacker can force a password change to a logged in user where the pages do not employ use of recent password and new password on account settings.

7. CSRF on account settings where attacker forces an email change on a logged in user and resets the password then booted them off their own account.

8. Password reset sessions not invalidating old sessions and thus users are unable to flush out attackers from their accounts even on password change.

9. Use of easy to decrypt password reset tokens . Attackers can decrypt reset tokens sometimes easily and manipulate them to match victims account like for JWT tokens or basic MD5 or common encryption algorithms .

10. Use of easy to IDOR where the reset token decrypts on front end to user id reference and attackers manipulate that to change password of any accounts.