Piwik 0.5.4 (released Dec. 18, 2009) and earlier versions are not affected by this security advisory to Zend_Log (disclosed Jan. 11, 2010) because Piwik uses UTF-8.

Furthermore, Piwik is not affected by security advisories ZF2010-02 through ZF2010-06 because Piwik uses a subset of ZF which does not include Zend_Form, Zend_View, Zend_Dojo, Zend_Filter, Zend_File, Zend_Service, or Zend_Json.

Piwik users are, however, encouraged to upgrade to the latest version to take advantage of new features and bug fixes.

Reference: Potential XSS vectors due to inconsistent encodings


Anthon Pang

- active contributor for years, Anthon has designed some some major features in Piwik such as the first version of the Javascript tracker. He still regularly advises the team.