Merge pull request from GHSA-r3c9-9j5q-pwv4

app/code/core/Mage/Customer/controllers/AccountController.php

@@ -843,6 +843,11 @@ public function resetPasswordAction()
      */
     public function resetPasswordPostAction()
     {
+        if (!$this->_validateFormKey()) {
+            $this->_redirect('*/*/');
+            return;
+        }
+
         list($customerId, $resetPasswordLinkToken) = $this->_getRestorePasswordParameters($this->_getSession());
         $password = (string)$this->getRequest()->getPost('password');
         $passwordConfirmation = (string)$this->getRequest()->getPost('confirmation');

app/design/frontend/base/default/template/customer/form/resetforgottenpassword.phtml

@@ -23,6 +23,7 @@
 </div>
 <?php echo $this->getMessagesBlock()->toHtml(); ?>
 <form action="<?php echo $this->getUrl('*/*/resetpasswordpost'); ?>" method="post" id="form-validate">
+    <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" />
     <div class="fieldset" style="margin-top: 70px;">
         <ul class="form-list">
             <li class="fields">

app/design/frontend/rwd/default/template/customer/form/resetforgottenpassword.phtml

@@ -23,6 +23,7 @@
 </div>
 <?php echo $this->getMessagesBlock()->toHtml(); ?>
 <form action="<?php echo $this->getUrl('*/*/resetpasswordpost'); ?>" method="post" id="form-validate" class="scaffold-form">
+    <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" />
     <div class="fieldset" style="margin-top: 70px;">
         <p class="required"><?php echo $this->__('* Required Fields'); ?></p>
         <ul class="form-list">