On Login Page, There Is A “from=” parameter in URL which is vulnerable to open redirect and which can be escalated to reflected XSS.
This vulnerability is capable of making users to redirect to any malicious website using open redirect and reflected XSS can help the attacker to fetch cookies and also for phishing.