There is a serious vulnerability found in the Reset Password component of the User plugin by RainLab from version 1.4.1 and below.
This issue affects websites running the
RainLab.User plugin only. If your website does not use this plugin, this article can be safely ignored.
October Build 420+
If you are running October Build 420 or above, perform a system update and ensure you are running RainLab.User v1.4.2 or above.
October Build 419
If you are running October Build 419 or below, you should patch your copy of this plugin with the following command. Run this command from the base path of your application:
php -r "eval('?>'.file_put_contents('plugins/rainlab/user/components/ResetPassword.php', file_get_contents('https://raw.githubusercontent.com/rainlab/user-plugin/build419/components/ResetPassword.php')));"