Reflected XSS in Results tab in phoronix-test-suite/phoronix-test-suite

Valid

Reported on

Jun 8th 2022

Description

Please enter a description of the vulnerability.

Proof of Concept

1. Install a local instance of phoronix
2. Run a benchmark
3. When the test is complete, for example the result id is xxxxx
4. Acess http://localhost/?result/xxxxx&ppd_U1lTVEVN=abc"onfocus="alert(origin)"+autofocus="abc&oss=&submit=Refresh+Results
You will see alert box

Impact

This vulnerability is capable of Reflected XSS

We are processing your report and will contact the phoronix-test-suite team within 24 hours. a year ago

We have contacted a member of the phoronix-test-suite team and are waiting to hear back a year ago

A phoronix-test-suite/phoronix-test-suite maintainer modified the Severity from High to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability a year ago

Andy has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A phoronix-test-suite/phoronix-test-suite maintainer marked this as fixed in 10.8.4 with commit bce1fb a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation