A non-persistent, cross-site scripting vulnerability (XSS) was found in Piwik’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Piwik user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Piwik users are encouraged to update to the latest version of Piwik. This issue exists in Piwik versions 0.1.6 through 0.5.5.

In Piwik 0.6, the form_url parameter has been removed.


  • CVE-2010-1453 – Login Form XSS

Any questions?

Many answers and more information about Piwik You can find here:

We are social

Follow us: