Cross-Site Request Forgery (CSRF) in phoronix-test-suite/phoronix-test-suite

Valid

Reported on

Jan 10th 2022


Description

Hello phoronix test suite maintainer team, there is a Cross site request forgery vulnerability in phoronix test suite.

Proof of Concept

  1. Install phoronix test suite on your system
  2. Create a test suite
  3. Open another tab in browser and go to the link /?local_suites/delete/<suite-name>-1.0.0, for example if suite name is suite-1, then the link would be /?local_suites/delete/suite-1-1.0.0 and see that the local test suite is deleted.

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the phoronix-test-suite team within 24 hours. 18 days ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back 17 days ago
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability 17 days ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
phoronix-test-suite/phoronix-test-suite maintainer confirmed that a fix has been merged on 4f1829 17 days ago
The fix bounty has been dropped