Password reset poisoning is a header based attack, where an attacker can manipulate the URL/domain of a password reset link. In addition, by adding 'dangling HTML markup' into HTTP request header values during an application’s password reset process, the hacker is able to capture username/password information as well.
Dangling HTML is where standard HTML tags have not been completed with a closing ">. Therefore when injected into an HTTP response, the browser returns everything up to the next closing "> it encounters. Everything up until that character is treated as being part of the url and sent to the attacker's server within the URL querystring. As a consequence, the generated reset token, username, password or other sensitive information is captured and sent to the attackers server allowing the hacker to perform an account takeover.