In the /user/login endpoint, it doesnt check the value of the next parameter when the user is logged in and pass it directly to redirect which result to open redirect. The bug also exist in /user/logout, /user/register, /user/login, /user/resend-activation.
1. Go to http://127.0.0.1:8000/user/login/?next=https://evil.com
This bug result to open redirect.