thirtybees · therampagerado · Aug 28, 2025
diff --git a/password-set.tpl b/password-set.tpl
@@ -7,11 +7,11 @@
     <div class="alert alert-success">{l s='Your password has been changed'}</div>
   {else}
     <p>{l s='Please enter new password for [1]%s[/1]' sprintf=[$customer->email] tags=['<b>']}</p>
-    <form action="{$link->getPageLink('password', true)|escape:'html':'UTF-8'}" method="post">
+    <form action="{$link->getPageLink('password', true, null, 'token='|cat:$token)}" method="post">
       <fieldset>
         <input type="hidden" name="username" value="{$customer->email}" />
-        <input type="hidden" name="token" value="{$customer->secure_key}" />
-        <input type="hidden" name="id_customer" value="{$customer->id}" />
+        <input type="hidden" name="token" value="{$token}">
+        <input type="hidden" name="csrf_token" value="{$csrf_token|escape:'html':'UTF-8'}">
         <div class="form-group">
           <label for="email">{l s='Password'}</label>
           <input class="form-control" type="password" id="password" name="password" autocomplete="new-password" required>

diff --git a/password.tpl b/password.tpl
@@ -7,7 +7,7 @@
   {if isset($confirmation) && $confirmation == 1}
     <div class="alert alert-success">{l s='Your password has been successfully reset and a confirmation has been sent to your email address:'} {if isset($customer_email)}{$customer_email|escape:'html':'UTF-8'|stripslashes}{/if}</div>
   {elseif isset($confirmation) && $confirmation == 2}
-    <div class="alert alert-success">{l s='A confirmation email has been sent to your address:'} {if isset($customer_email)}{$customer_email|escape:'html':'UTF-8'|stripslashes}{/if}</div>
+    <div class="alert alert-success">{l s='A confirmation email has been sent to your address if it appears in our records:'} {if isset($customer_email)}{$customer_email|escape:'html':'UTF-8'|stripslashes}{/if}</div>
   {else}
     <p>{l s='Please enter the email address you used to register. We will then send you a new password. '}</p>
     <form action="{$request_uri|escape:'html':'UTF-8'}" method="post" class="std" id="form_forgotpassword">