A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted by the attacker.
While this is a low risk threat, Matomo (Piwik) users are encouraged to update to the latest version of Matomo. This issue exists in Matomo versions 0.1.6 through 0.5.5.
In Matomo (Piwik) 0.6, the form_url parameter has been removed.
- CVE-2010-1453 – Login Form XSS