The fix implemented for WEB-268 is insufficient

Though the fix implemented resolves the XSS vulnerability, it leaves an open redirect vulnerability. This allows for phishing attacks. If an attacker were to design a page that looked identical to the login page, it would be easy to fool an unsuspecting passerby that the login page simply popped up twice. The proper fix for this would to only allow redirects for relative urls, similar to the change-language's "next" parameter. This is a pretty decent threat, as it allows for very convincing phishing attacks.