Date: Wed, 5 May 2010 16:28:34 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE Request - Piwik 0.5.5 - XSS vulnerability Here you go: CVE-2010-1453 Piwik < 0.6 Login form XSS Thanks. -- JB ----- "Anthon Pang" <anthon.pang@...il.com> wrote: > A Piwik XSS vulnerability is fixed by the latest Piwik 0.6 release. > The > advisory is published here: > http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/ > > Description: > > A non-persistent, cross-site scripting vulnerability (XSS) was found > in > Piwik's Login form that reflected the form_url parameter without > being > properly escaped or filtered. To exploit this vulnerability, the > attacker > tricks a Piwik user into visiting a Login URL crafted by the > attacker. > > While this is a low risk threat, Piwik users are encouraged to update > to the > latest version of Piwik. This issue exists in Piwik versions 0.1.6 > through > 0.5.5. > > In Piwik 0.6, the form_url parameter has been removed.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.