oss-sec mailing list archives

Re: CVE Request: Multiple XSS Vulnerabiliies < Piwik 1.1

From: Josh Bressers <bressers () redhat com>
Date: Thu, 6 Jan 2011 13:57:05 -0500 (EST)

Please use CVE-2011-0004 for the multiple XSS flaws.

Thanks.

-- 
    JB


----- Original Message -----

Piwik 1.1 released on Jan 4, 2011, addresses numerous security issues
following a security audit by SektionEins (led by Stefan Esser), an
internal
review, and coordinated disclosures from Jarosław Sajko
(Pentesters.pl) and
Fabian Becker.

Notably, versions of Piwik prior to 1.1 contain multiple persistent
and
reflective XSS vulnerabilities through unescaped parameters and/or
output.

Security advisory:
http://piwik.org/blog/2011/01/piwik-1-1-security-advisory/
Other advisory:
http://piwik.org/blog/2011/01/professional-security-audit-in-piwik/
Changelog: http://piwik.org/blog/2011/01/piwik-1-1-2/

Current thread:

CVE Request: Multiple XSS Vulnerabiliies < Piwik 1.1 Anthon Pang (Jan 05)
- Re: CVE Request: Multiple XSS Vulnerabiliies < Piwik 1.1 Josh Bressers (Jan 06)