CVE-2018-13065 : ModSecurity 3.0.0 has XSS via an onError attribute of an IMG element.
After doing an intense source code analysis of ModSecurity Web Application Firewall 3.0.0 , which is one of the most popular open source Web Application Firewalls, I found that the web filter could be bypassed by using certain commands. I will contact the required authorities to get it fixed, but until then I cannot as such publicly disclose the tags that I have used. But I can guarantee that the process is replicable and I have tried it on multiple machines. And I intend to publish it in its totality as soon as it is resolved. And will guide you through the process.
