I was not sure if Email::sendResetPasswordEmail() is not vulnerable itself, though. From my testings it looks like it's not, but somebody with better code knowledge needs to check if neutral exceptions are thrown in case user doesn't have an email and such.
Forgot password page is vulnerable to account enumeration vulnerability.
This patch fixes that.
I was not sure if Email::sendResetPasswordEmail() is not vulnerable itself, though. From my testings it looks like it's not, but somebody with better code knowledge needs to check if neutral exceptions are thrown in case user doesn't have an email and such.