Date: Wed, 5 May 2010 15:03:06 -0400 From: Anthon Pang <anthon.pang@...il.com> To: oss-security@...ts.openwall.com Subject: CVE Request - Piwik 0.5.5 - XSS vulnerability A Piwik XSS vulnerability is fixed by the latest Piwik 0.6 release. The advisory is published here: http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/ Description: A non-persistent, cross-site scripting vulnerability (XSS) was found in Piwik's Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Piwik user into visiting a Login URL crafted by the attacker. While this is a low risk threat, Piwik users are encouraged to update to the latest version of Piwik. This issue exists in Piwik versions 0.1.6 through 0.5.5. In Piwik 0.6, the form_url parameter has been removed.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.