Matomo 0.6 – Security Advisory to CVE-2010-1453

A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Matomo users are encouraged to update to the latest version of Matomo. This issue exists in Matomo versions 0.1.6 through 0.5.5.

In Matomo 0.6, the form_url parameter has been removed.

References:

  • CVE-2010-1453 – Login Form XSS

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email