Multiple XSS vulnerabilties are fixed by the Piwik 1.1 release.
CVE-2011-004. Piwik versions prior to 1.1 are vulnerable to multiple XSS vulnerabilities, both persistent and reflected.
This security update is rated critical, and Piwik users are strongly encouraged to update to the latest version of Piwik.
The Piwik project and community thanks Stefan Esser of SektionEins for leading the software security audit. The Piwik project also appreciates the coordinated disclosures from Jarosław Sajko of Pentesters.pl, and Piwik contributor, Fabian Becker.
Update (January 12, 2011):
NIST has assigned additional CVEs for improvements made in this release:
- CVE-2011-398 – Potential spoofing of the X-Forwarded-For header. As of Piwik 1.1, users must configure the proxy header(s) to be trusted. (credit: Stefan Esser)
- CVE-2011-399 – Login forms may be framed. As of Piwik 1.1, clickjacking countermeasures are activated by default. (The behaviour is configureable.) (credit: Anthon Pang)
- CVE-2011-400 – Cookie.php does not set login cookie’s secure flag for https login. (credit: Anthon Pang)
- CVE-2011-401 – Potential denial-of-service due to undeleted session files. This has been classified as a web server configuration error (e.g., default Debian configuration). Piwik mitigates by setting session.gc_probability, if unset.