The 'lost your password' is vulnerable to fishing attacks.

Usecase:
An attacker tries to reset the password of an account, the email gets send out. The attacker needs to check if they can login using this new password. (either by a user clicking the link in the email, or even worse, an automated email vulnerability scanner checking the URL in the email)

To prevent this from succeeding, the following can be done.
The confirmResetPassword class (in Login/controller.php) would need to have an extra check;
After the validation of the resetToken, the user needs to be asked to retype the previous chosen password (used in the initial change your password screen.)
Only after the successful confirmation of this password, the account password needs to be reset.

I'm not a PHP programmer, would this be easy to implement?