oss-sec mailing list archives

CVE Request - Piwik 0.5.5 - XSS vulnerability

From: Anthon Pang <anthon.pang () gmail com>
Date: Wed, 5 May 2010 15:03:06 -0400

A Piwik XSS vulnerability is fixed by the latest Piwik 0.6 release.  The
advisory is published here:
http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/

Description:

A non-persistent, cross-site scripting vulnerability (XSS) was found in
Piwik's Login form that reflected the form_url parameter without being
properly escaped or filtered. To exploit this vulnerability, the attacker
tricks a Piwik user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Piwik users are encouraged to update to the
latest version of Piwik. This issue exists in Piwik versions 0.1.6 through
0.5.5.

In Piwik 0.6, the form_url parameter has been removed.

Current thread:

CVE Request - Piwik 0.5.5 - XSS vulnerability Anthon Pang (May 05)
- Re: CVE Request - Piwik 0.5.5 - XSS vulnerability Josh Bressers (May 05)