An issue in Roadcute API v.1 allows a remote attacker to execute arbitrary code via the application exposing a password reset API endpoint that fails to validate the identity of the requester properly
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.