Date: Wed, 5 May 2010 16:28:34 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE Request - Piwik 0.5.5 - XSS vulnerability Here you go: CVE-2010-1453 Piwik < 0.6 Login form XSS Thanks. -- JB ----- "Anthon Pang" <anthon.pang@...il.com> wrote: > A Piwik XSS vulnerability is fixed by the latest Piwik 0.6 release. > The > advisory is published here: > http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/ > > Description: > > A non-persistent, cross-site scripting vulnerability (XSS) was found > in > Piwik's Login form that reflected the form_url parameter without > being > properly escaped or filtered. To exploit this vulnerability, the > attacker > tricks a Piwik user into visiting a Login URL crafted by the > attacker. > > While this is a low risk threat, Piwik users are encouraged to update > to the > latest version of Piwik. This issue exists in Piwik versions 0.1.6 > through > 0.5.5. > > In Piwik 0.6, the form_url parameter has been removed.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.