Reflected XSS in Results tab in phoronix-test-suite/phoronix-test-suite

Valid

Reported on

Jun 8th 2022


Description

Please enter a description of the vulnerability.

Proof of Concept

1. Install a local instance of phoronix
2. Run a benchmark
3. When the test is complete, for example the result id is xxxxx
4. Acess http://localhost/?result/xxxxx&ppd_U1lTVEVN=abc"onfocus="alert(origin)"+autofocus="abc&oss=&submit=Refresh+Results
You will see alert box

Impact

This vulnerability is capable of Reflected XSS

We are processing your report and will contact the phoronix-test-suite team within 24 hours. 21 days ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back 20 days ago
phoronix-test-suite/phoronix-test-suite maintainer modified the Severity from High to Low 18 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability 18 days ago
Andy has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
phoronix-test-suite/phoronix-test-suite maintainer confirmed that a fix has been merged on bce1fb 18 days ago
The fix bounty has been dropped
to join this conversation