Comment 1 for bug 1577251

Setting priority to "Low" because this vulnerability is of limited use:

1. This vulnerability only helps an attacker who has already compromised the victim's Mahara account. It does not offer a means to compromise an account on its own.

2. This attack doesn't allow for an ongoing cycle of compromises. Once used, the attacker will have changed the victim's password, which will lead the victim to use the "Forgot password" page themselves, which deletes all other password reset emails for the user. So, the attacker can only use this once.

3. Mahara password reset emails are only valid for 24 hours. So this method can't be used to re-compromise the account days later when the victim has become less suspicious.