Stored XSS on the
/users/<username>/favorites endpoints with same root cause. Discovered in the day of public program launch.
Request interception wasn't necessary.
<img src="..." alt="[injection]">
Severity was set due to the factors such as: number of potential users affected, attack complexity, no user interaction vector, and possibility to steal sensitive information or bypass CSRF protection on the user's side. I had previously some experience with triage team, so in this case it was enough to demonstrate simple popup, without complex payload. Thanks to the team for great report handling and bounty!