Stored XSS Vulnerability Discovered in OopsSec Store's Product Review Feature

A stored XSS (Cross-Site Scripting) vulnerability has been identified in the product review functionality of the OopsSec Store. The application fails to sanitize user inputs on the server side and displays review content as raw HTML on the client side, enabling the execution of malicious scripts. An attacker can inject JavaScript via a review, which is stored in the database and triggered every time the product page loads. Exploitation of this flaw allowed the retrieval of a file /xss-flag.txt containing the flag OSS{cr0ss_s1t3_scr1pt1ng_xss}. The vulnerability stems from a lack of server-side sanitization (absence of DOMPurify) and direct HTML injection through insecure React references.