PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-6396 Webpagetest Project CVE debrief

CVE-2017-6396 is a cross-site scripting vulnerability in WPO-Foundation WebPageTest 3.0. According to the NVD record, user-supplied data reaching webpagetest-master/www/compare-cf.php was not sufficiently filtered, allowing an attacker to execute arbitrary HTML and JavaScript in a victim’s browser in the context of the vulnerable website. This is a medium-severity, network-reachable issue that depends on user interaction and can affect confidentiality and integrity in the browser session.

Vendor
Webpagetest Project
Product
Webpagetest
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-02
Original CVE updated
2026-05-13
Advisory published
2017-03-02
Advisory updated
2026-05-13

Who should care

Operators and developers responsible for WebPageTest 3.0 deployments, especially any instance exposing compare-cf.php or related comparison features to users. Security teams should also care if the application is used in shared, authenticated, or internal environments where browser-session abuse could expose data or actions.

Technical summary

The published NVD record classifies the flaw as CWE-79 (Cross-Site Scripting) with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness is described as insufficient filtration of untrusted input sent to compare-cf.php, enabling script or HTML injection that executes in the browser under the vulnerable site’s origin. The supplied corpus does not include proof-of-concept details, but it does identify a vendor issue tracker reference and third-party references associated with the issue.

Defensive priority

Medium. Prioritize if the application is internet-facing, widely used by authenticated users, or embedded in workflows where browser-origin trust matters. Because exploitation requires user interaction, the risk is lower than unauthenticated server compromise, but the browser-context impact can still be significant.

Recommended defensive actions

  • Review and patch the WebPageTest deployment to address input handling in compare-cf.php and any related comparison endpoints.
  • Apply context-appropriate output encoding and server-side validation for all user-controlled parameters rendered into HTML or JavaScript contexts.
  • Add a temporary server-side filter or web application firewall rule if immediate patching is not possible, focusing on compare-cf.php request parameters.
  • Audit logs and application telemetry for unusual requests to compare-cf.php and for suspicious script-bearing input patterns.
  • Restrict access to WebPageTest to trusted users or internal networks until remediation is confirmed.
  • Verify the deployed version and confirm whether the vendor issue referenced in the corpus resulted in a fixed release or local mitigation.

Evidence notes

The debrief is based only on the supplied NVD-derived record and referenced links. The record states: WebPageTest 3.0, insufficient filtration of user-supplied data in webpagetest-master/www/compare-cf.php, and arbitrary HTML/script execution in the browser context of the vulnerable site. The record also supplies the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, CWE-79, and a published date of 2017-03-02. The modified date in the source record is 2026-05-13 and is treated as a record update, not the vulnerability discovery date.

Official resources

Publicly disclosed on 2017-03-02; the supplied NVD record was last modified on 2026-05-13.