A non-persistent, cross-site scripting vulnerability (XSS) was found in Piwik’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Piwik user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Piwik users are encouraged to update to the latest version of Piwik. This issue exists in Piwik versions 0.1.6 through 0.5.5.

In Piwik 0.6, the form_url parameter has been removed.

References:

  • CVE-2010-1453 – Login Form XSS

Anthon Pang

- active contributor for years, Anthon has designed some some major features in Piwik such as the first version of the Javascript tracker. He still regularly advises the team.