How serious is CVE-2017-6396?

This vulnerability has a CVSS score of 6.1 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2017-6396?

Yes, proof-of-concept exploit code for CVE-2017-6396 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2017-6396?

CVE-2017-6396 affects webpagetest project webpagetest. Check the full CVE details for specific version information.

How do I fix CVE-2017-6396?

To remediate CVE-2017-6396, check for security patches from webpagetest project. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2017-6396

Medium

|6.1

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

An attacker can inject malicious HTML and script code into a web page, which could then run in the browser of anyone visiting that page. This vulnerability occurs because the application does not properly filter the data provided by users, allowing the attacker to exploit it without needing special access.

Technical Description

An issue was discovered in WPO-Foundation WebPageTest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "webpagetest-master/www/compare-cf.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionRequired

Confidentiality ImpactLow

Integrity ImpactLow

Availability ImpactNone

ScopeChanged

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$862($500-$1K)

Vendor Response

Grade FPatched in 3270 days

Quick Information

Published

Mar 2, 2017

almost 9 years ago

Last Modified

Feb 13, 2026

7 days ago

Vendor

webpagetest project

Product

webpagetest

Related Vulnerabilities

CVE-2017-6541Medium

An attacker can inject and run malicious scripts in a user's browser when they visit a specific page on the webpagetest site, potentially stealing sensitive information or manipulating the user's session. This occurs because the site does not properly filter user input, allowing harmful code to be executed if a user is tricked into clicking a specially crafted link.

CVE-2017-6537Medium

An attacker can inject and run malicious scripts in a user's browser when they visit a specific page on a vulnerable webpagetest site. This happens because the site doesn't properly filter user input for a color setting, allowing the attacker to manipulate the page's content if they can trick someone into visiting a crafted link.