Password recovery is vulnerable to re-use of reset links
A password reset link is supposed to work only for one hour. This timer gets reset though with subsequent password reset requests.
user.setLastChange(new Date()); would basically activate not only the current but all past request links.
Update: apparently this is no issue as the new request would also update the secret required to be known by the attacker.
Issue is closed.