There is a logical loophole in the front end for any user to change the password

[N-Next]

Affected versions：v3.1.1

The steps to reproduce

When logging in, choose to forget your password and choose to retrieve your password And enter any existing email address and its bound account The backend will generate a four-digit alphanumeric verification code Then you can use burpsuite to blast the email verification code Successful blasting Successful password modification After testing, the verification code is valid for two minutes, and the verification code will be blasted within two minutes, and the verification code will not be modified

repair suggestion

• Reset the verification code when the verification code is entered incorrectly five times