Stored XSS on the
/gallery/ endpoint. Discovered in the day of public program launch.
Request interception was necessary.
<img src="..." alt="[injection]">
Similar to the #380204, but with different root cause.
Severity was set due to the factors such as: number of potential users affected, attack complexity, no user interaction vector, and possibility to steal sensitive information or bypass CSRF protection on the user's side.
I had previously some experience with triage team, so in this case it was enough to demonstrate simple popup, without complex payload.
Thanks to the team for great report handling and bounty!