This bug is slightly more complex because it is a stored XSS reported on December 14th, 2015, by a bug bounty hunter called Ivan Gringorov.
He discovered XSS in a form where a user can customize a link for a personal online store. The fields in the form were not validating the inputs properly, and derived in an XSS.
These fields were stored in the application and then, when a user accessed the application, he saw the following result:
If you want to read the complete report, you can find the original post here: https://hackerone.com/reports/104359.