Application password change and reset is a self-service mechanism for changing or resetting a password for users without administrator intervention. If it is weak, it allows an attacker to change any user's password and thus hijack their account. You must protect the password reset mechanism from unauthorized changes, e.g. by using one-time authorization tokens sent to the e-mail.
In one of the applications tested, the server did not verify the password change authorization token. Knowing the user's email, you can change their password by sending the appropriate request to the server presented below:
In response, the server sent a password change confirmation presented below: