A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted by the attacker.
While this is a low risk threat, Matomo users are encouraged to update to the latest version of Matomo. This issue exists in Matomo versions 0.1.6 through 0.5.5.
In Matomo 0.6, the form_url parameter has been removed.
- CVE-2010-1453 – Login Form XSS