Bug in reset password

Just applying the default behaviour to reset the password i think that i found a bug.

Ill explain with a example

I have 2 users, user 1 with email: [email protected] and user 2 with email [email protected]

User 1 clicks on reset password and introduces his email, this will create a reset token, user 2 does the same thing, so we have 2 different reset tokens for 2 different users:

User 1 gets an email with the link to reset his password, click on it and he will get the reset form, now he should introduce his email and the new password, but instead of put his own email he introduce the email from user 2: [email protected], and he will change the password for the user 2 instead password for himself. The reset function doesnt check if the email that i put on the form is the right email for the token

Basically, if you know that another user has a reset token, you can change his password when you want, i think that the reset funcion should check the email before change the password, you can do it just overriding the reset function, but the default one has a big security hole with this behaviour