diff --git a/test/api/v3/integration/chat/POST-chat.flag.test.js b/test/api/v3/integration/chat/POST-chat.flag.test.js
index 9e89131f6c..7521b1b9a2 100644
--- a/test/api/v3/integration/chat/POST-chat.flag.test.js
+++ b/test/api/v3/integration/chat/POST-chat.flag.test.js
@@ -223,4 +223,23 @@ describe('POST /chat/:chatId/flag', () => {
 
     expect(auMessageToCheck).to.not.exist;
   });
+
+  it('validates that the message belongs to the passed group', async () => {
+    const { group: anotherGroup, groupLeader: anotherLeader } = await createAndPopulateGroup({
+      groupDetails: {
+        name: 'Another Guild',
+        type: 'guild',
+        privacy: 'private',
+      },
+      upgradeToGroupPlan: true,
+    });
+
+    const message = await anotherUser.post(`/groups/${group._id}/chat`, { message: TEST_MESSAGE });
+    await expect(anotherLeader.post(`/groups/${anotherGroup._id}/chat/${message.message.id}/flag`))
+      .to.eventually.be.rejected.and.eql({
+        code: 404,
+        error: 'NotFound',
+        message: t('messageGroupChatNotFound'),
+      });
+  });
 });
diff --git a/test/api/v3/integration/chat/POST-chat.like.test.js b/test/api/v3/integration/chat/POST-chat.like.test.js
index f06455566d..e605958be8 100644
--- a/test/api/v3/integration/chat/POST-chat.like.test.js
+++ b/test/api/v3/integration/chat/POST-chat.like.test.js
@@ -1,5 +1,6 @@
 import { find } from 'lodash';
 import {
+  generateUser,
   createAndPopulateGroup,
   translate as t,
 } from '../../../../helpers/api-integration/v3';
@@ -79,4 +80,35 @@ describe('POST /chat/:chatId/like', () => {
     const messageToCheck = find(groupWithoutChatLikes.chat, { id: message.message.id });
     expect(messageToCheck.likes[user._id]).to.equal(false);
   });
+
+  it('validates that the message belongs to the passed group', async () => {
+    const { group: anotherGroup, groupLeader: anotherLeader } = await createAndPopulateGroup({
+      groupDetails: {
+        name: 'Another Guild',
+        type: 'guild',
+        privacy: 'private',
+      },
+      upgradeToGroupPlan: true,
+    });
+
+    const message = await anotherUser.post(`/groups/${groupWithChat._id}/chat`, { message: testMessage });
+    await expect(anotherLeader.post(`/groups/${anotherGroup._id}/chat/${message.message.id}/like`))
+      .to.eventually.be.rejected.and.eql({
+        code: 404,
+        error: 'NotFound',
+        message: t('messageGroupChatNotFound'),
+      });
+  });
+
+  it('does not like a message if the user is not in the group', async () => {
+    const thirdUser = await generateUser();
+
+    const message = await user.post(`/groups/${groupWithChat._id}/chat`, { message: testMessage });
+    await expect(thirdUser.post(`/groups/${groupWithChat._id}/chat/${message.message.id}/like`))
+      .to.eventually.be.rejected.and.eql({
+        code: 404,
+        error: 'NotFound',
+        message: t('groupNotFound'),
+      });
+  });
 });
diff --git a/test/api/v3/integration/user/auth/PUT-user_update_email.test.js b/test/api/v3/integration/user/auth/PUT-user_update_email.test.js
index 3044471e38..7449460254 100644
--- a/test/api/v3/integration/user/auth/PUT-user_update_email.test.js
+++ b/test/api/v3/integration/user/auth/PUT-user_update_email.test.js
@@ -108,6 +108,20 @@ describe('PUT /user/auth/update-email', () => {
       const isValidPassword = await bcryptCompare(textPassword, user.auth.local.hashed_password);
       expect(isValidPassword).to.equal(true);
     });
+
+    it('invalidates any outstanding password reset code', async () => {
+      await user.updateOne({
+        'auth.local.passwordResetCode': 'impossible-reset-code',
+      });
+
+      await user.put(ENDPOINT, {
+        newEmail: 'bogo@example.com',
+        password: oldPassword,
+      });
+
+      await user.sync();
+      expect(user.auth.local.passwordResetCode).to.not.exist;
+    });
   });
 
   context('Social Login User', async () => {
diff --git a/website/server/controllers/api-v3/auth.js b/website/server/controllers/api-v3/auth.js
index 24c22d0980..9700ddfe1a 100644
--- a/website/server/controllers/api-v3/auth.js
+++ b/website/server/controllers/api-v3/auth.js
@@ -432,6 +432,7 @@ api.updateEmail = {
     }
 
     user.auth.local.email = req.body.newEmail.toLowerCase();
+    user.auth.local.passwordResetCode = undefined;
     await user.save();
 
     return res.respond(200, { email: user.auth.local.email });
diff --git a/website/server/controllers/api-v3/chat.js b/website/server/controllers/api-v3/chat.js
index 2299cbe5d7..4d3ca353c0 100644
--- a/website/server/controllers/api-v3/chat.js
+++ b/website/server/controllers/api-v3/chat.js
@@ -295,7 +295,7 @@ api.likeChat = {
     const group = await Group.getGroup({ user, groupId });
     if (!group) throw new NotFound(res.t('groupNotFound'));
 
-    const message = await Chat.findOne({ _id: req.params.chatId }).exec();
+    const message = await Chat.findOne({ _id: req.params.chatId, groupId: group._id }).exec();
     if (!message) throw new NotFound(res.t('messageGroupChatNotFound'));
     if (!message.likes) message.likes = {};
 
diff --git a/website/server/libs/chatReporting/groupChatReporter.js b/website/server/libs/chatReporting/groupChatReporter.js
index 719b6392b3..2270674259 100644
--- a/website/server/libs/chatReporting/groupChatReporter.js
+++ b/website/server/libs/chatReporting/groupChatReporter.js
@@ -36,7 +36,7 @@ export default class GroupChatReporter extends ChatReporter {
     });
     if (!group) throw new NotFound(this.res.t('groupNotFound'));
 
-    const message = await Chat.findOne({ _id: this.req.params.chatId }).exec();
+    const message = await Chat.findOne({ _id: this.req.params.chatId, groupId: group._id }).exec();
     if (!message) throw new NotFound(this.res.t('messageGroupChatNotFound'));
     if (message.uuid === 'system') throw new BadRequest(this.res.t('messageCannotFlagSystemMessages', { communityManagerEmail: COMMUNITY_MANAGER_EMAIL }));