Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 May 2010 15:03:06 -0400
From: Anthon Pang <>
Subject: CVE Request - Piwik 0.5.5 - XSS vulnerability

A Piwik XSS vulnerability is fixed by the latest Piwik 0.6 release.  The
advisory is published here:


A non-persistent, cross-site scripting vulnerability (XSS) was found in
Piwik's Login form that reflected the form_url parameter without being
properly escaped or filtered. To exploit this vulnerability, the attacker
tricks a Piwik user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Piwik users are encouraged to update to the
latest version of Piwik. This issue exists in Piwik versions 0.1.6 through

In Piwik 0.6, the form_url parameter has been removed.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.