The UI Performs the Wrong Action in pheditor/pheditor
Oct 2nd 2021
With your new fix in https://github.com/pheditor/pheditor/commit/69a79e3ba7f4a9f844cf5919c14a953e4a0d1867, it is basically impossible to change the password now because you forgot to add in the CSRF token in the reset password functionality, hence the password cannot be changed from 'admin'.
Proof of Concept
Trying to reset the password gives: Error: Invalid token. Please reload the page.
Users cannot change the default password in the new fix. Hence attackers can login into PHEditor via logging via 'admin' password.