Replies: 10
It seems that the hardening has broken password reset links. Here’s a redacted link generated from a reset:https://(domain.com)/your-account/?a=set_password_from_key\&\#\0\3\8\;key=(redacted)\&\#\0\3\8\;login=(redacted)
Escaping the code because this forum is just converting it to an ampersand.
The page generates:
Invalid user.
Request a new reset key.
It works as expected if the user modifies the URL to just the ampersands instead of the \&\#\0\3\8\;