The current version of Piwik (1.8.2) is not affected by this vulnerability. Piwik neither uses nor includes the XmlRpc component from Zend Framework.

Piwik users are, however, encouraged to upgrade to the latest versions of Piwik and PHP to take advantage of new features and bug fixes.

References:

  • ZF2011-01: Local file disclosure via XXE injection in Zend_XmlRpc
  • CVE-2012-3363

Anthon Pang

- active contributor for years, Anthon has designed some some major features in Piwik such as the first version of the Javascript tracker. He still regularly advises the team.