PatchSiren cyber security CVE debrief

CVE-2017-6396 Webpagetest Project CVE debrief

CVE-2017-6396 is a cross-site scripting vulnerability in WPO-Foundation WebPageTest 3.0. According to the NVD record, user-supplied data reaching webpagetest-master/www/compare-cf.php was not sufficiently filtered, allowing an attacker to execute arbitrary HTML and JavaScript in a victim’s browser in the context of the vulnerable website. This is a medium-severity, network-reachable issue that depends on user interaction and can affect confidentiality and integrity in the browser session.

Vendor: Webpagetest Project
Product: CVE-2017-6396
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Operators and developers responsible for WebPageTest 3.0 deployments, especially any instance exposing compare-cf.php or related comparison features to users. Security teams should also care if the application is used in shared, authenticated, or internal environments where browser-session abuse could expose data or actions.

Technical summary

The published NVD record classifies the flaw as CWE-79 (Cross-Site Scripting) with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness is described as insufficient filtration of untrusted input sent to compare-cf.php, enabling script or HTML injection that executes in the browser under the vulnerable site’s origin. The supplied corpus does not include proof-of-concept details, but it does identify a vendor issue tracker reference and third-party references associated with the issue.

Defensive priority

Medium. Prioritize if the application is internet-facing, widely used by authenticated users, or embedded in workflows where browser-origin trust matters. Because exploitation requires user interaction, the risk is lower than unauthenticated server compromise, but the browser-context impact can still be significant.

Recommended defensive actions

Review and patch the WebPageTest deployment to address input handling in compare-cf.php and any related comparison endpoints.
Apply context-appropriate output encoding and server-side validation for all user-controlled parameters rendered into HTML or JavaScript contexts.
Add a temporary server-side filter or web application firewall rule if immediate patching is not possible, focusing on compare-cf.php request parameters.
Audit logs and application telemetry for unusual requests to compare-cf.php and for suspicious script-bearing input patterns.
Restrict access to WebPageTest to trusted users or internal networks until remediation is confirmed.
Verify the deployed version and confirm whether the vendor issue referenced in the corpus resulted in a fixed release or local mitigation.

Evidence notes

The debrief is based only on the supplied NVD-derived record and referenced links. The record states: WebPageTest 3.0, insufficient filtration of user-supplied data in webpagetest-master/www/compare-cf.php, and arbitrary HTML/script execution in the browser context of the vulnerable site. The record also supplies the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, CWE-79, and a published date of 2017-03-02. The modified date in the source record is 2026-05-13 and is treated as a record update, not the vulnerability discovery date.

Official resources

CVE-2017-6396 CVE record
CVE.org
CVE-2017-6396 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory

Publicly disclosed on 2017-03-02; the supplied NVD record was last modified on 2026-05-13.