Account takeover due to insufficient URL validation on RelayState parameter