The password reset token may be leaked via the referrer header to untrusted sources. Here are some potential attack scenarios:

1. Admin sets their JIRA logo to be a logo sourced from an untrusted site (this is not usually considered an issue)
2. A user forgets their password and requests a password reset email, and clicks the link in an issue. Alternatively, the admin of the untrusted site requests password reset for a victim, and hopes they click the link, which could happen.
3. The user is taken to the password reset screen, the logo is requested and the referrer header from that logo contains the password reset token
4. The site the logo comes from uses that referrer header to reset the users password before the user has an opportunity to

Other potential scenarios are that the admin sets the JIRA logo to a trusted static site who, because their site is static and contains no confidential information, leaves their webstats unprotected.

A good solution to this problem is when receiving a password reset request from an email, store the token in the session, and redirect the user to another screen that asks for a new password, and doesn't put the token in the URL.