What would be the use case for a framework that returns password reset token to random user requesting password reset of another account. Token must only be available to account owner.
This seems to be fairly deliberate, the QR code might probably give you some clues. They needed to generate a QR code so the user could just scan it and reset their password.
A framework like this should not be used.