This tweet highlights a critical WAF bypass vulnerability reported to AikidoSecurity and Intigriti involving an account takeover and stored XSS (Cross-Site Scripting). The reporter has provided a proof-of-concept video of 3 minutes and 14 seconds along with the full payloads for the vulnerability. Despite the severity classified as critical, the report (reference AIKIDO-RE3H38UN) has not received any acknowledgment or response since January 15th. The user questions whether 'Silent Fixing' — applying fixes without notification — is the new policy. This case illustrates challenges in vulnerability disclosure and communication between security researchers and WAF vendors. The vulnerability suggests that the WAF protection can be bypassed to perform stored XSS leading to account takeover, which is a serious security flaw. The tweet serves as a call for better handling and transparency in vulnerability response processes by security vendors.
For more details, check out the original tweet here: https://twitter.com/RoshanS7704/status/2038987851208217084