1. User Enumeration
2. Missing Rate Limiting
3. SQL Injection
4. Cross Site Scripting (XSS)
5. Text Injection / Content Spoofing
6. HTML Injection in Email
7. Password Reset Poisoning via Host Header Injection
8. Re-usable Password Reset Token
9. No Expiration on Password Reset Token
10. Guessable Password Reset Token
11. Security Question Bypass
    1. Direct Request
    2. Referrer Check Bypass
12. Parameter Pollution
13. Reset Token Leakage in Response
14. Password Reset on OTP Brute-Force
15. Weak Cryptography in Reset Token Generation
16. IDN Homograph Attack
17. Account Takeover
18. Third Party Leakage
19. Weak Password Policy
20. Insufficient Session Expiration on Password Change
21. MFA Auto Disable after Password Reset