oss-sec mailing list archives
CVE Request - Piwik 0.5.5 - XSS vulnerability
From: Anthon Pang <anthon.pang () gmail com>
Date: Wed, 5 May 2010 15:03:06 -0400
A Piwik XSS vulnerability is fixed by the latest Piwik 0.6 release. The advisory is published here: http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/ Description: A non-persistent, cross-site scripting vulnerability (XSS) was found in Piwik's Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Piwik user into visiting a Login URL crafted by the attacker. While this is a low risk threat, Piwik users are encouraged to update to the latest version of Piwik. This issue exists in Piwik versions 0.1.6 through 0.5.5. In Piwik 0.6, the form_url parameter has been removed.
Current thread:
- CVE Request - Piwik 0.5.5 - XSS vulnerability Anthon Pang (May 05)
- Re: CVE Request - Piwik 0.5.5 - XSS vulnerability Josh Bressers (May 05)