Account takeover using reset password link

A vulnerability was found in the Mars website (█████████) where the reset password functionality can be manipulated. The reset password link sent via email contains a parameter that specifies the path of the reset password page. An attacker can modify this parameter to redirect users to a domain under their control when the link is clicked. This allows the attacker to obtain the password reset token and use it to reset the user's password, gaining unauthorized access to their account.