The vulnerability stems from client-side JavaScript in base_plain.html that unsafely sets window.location using URL hash input. While the XSS execution occurs client-side, the server-side views that render this template (used by authentication endpoints) are critical components in delivering the vulnerable code. The affected URLs (/authentication/login/, /authentication/password/reset/, etc.) correspond to Django view classes in the authentication app that would appear in server-side profiler traces when these endpoints are accessed. Confidence is medium as we infer view names from URL patterns and Django conventions, though exact implementation details aren't shown in provided patches.