Vulnerability Key Information Vulnerability Type Cross-Site Scripting (XSS) Description An XSS issue was discovered in WebPageTest 3.0 due to insufficient filtration of user-supplied data ( ) passed to the URL. An attacker could execute arbitrary HTML and script code in a browser. Environment Setup Software: WebPageTest (https://github.com/catchpoint/WebPageTest) Version: 3.0 Tested on: Windows 10 Exploit Description The component is vulnerable to reflected XSS due to insufficient sanitization of the parameter, allowing arbitrary JavaScript execution. Steps to Reproduce 1. Access a WebPageTest 3.0 instance. 2. Open the PoC URL in a browser. 3. Observe the result. Proof of Concept URL: