A Cross-Site Scripting (XSS) payload was discovered to bypass CloudFront WAF when the payload was reflected in the location function. The payload 'jAvaScripT:(alert)`1`' successfully triggered an alert. This vulnerability can potentially allow an attacker to execute arbitrary JavaScript code on the target application. More details will be provided in the blog post.
Check out the original tweet here: https://twitter.com/A7medBasiony/status/1793163810523820337