Multiple XSS vulnerabilties are fixed by the Matomo (Piwik) 1.1 release.
CVE-2011-004. Matomo (Piwik) versions prior to 1.1 are vulnerable to multiple XSS vulnerabilities, both persistent and reflected.
This security update is rated critical, and Matomo (Piwik) users are strongly encouraged to update to the latest version of Matomo.
The Matomo (Piwik) project and community thanks Stefan Esser of SektionEins for leading the software security audit. The Matomo project also appreciates the coordinated disclosures from Jarosław Sajko of Pentesters.pl, and Matomo contributor, Fabian Becker.
Update (January 12, 2011):
NIST has assigned additional CVEs for improvements made in this release:
- CVE-2011-398 – Potential spoofing of the X-Forwarded-For header. As of Matomo (Piwik) 1.1, users must configure the proxy header(s) to be trusted. (credit: Stefan Esser)
- CVE-2011-399 – Login forms may be framed. As of Matomo (Piwik) 1.1, clickjacking countermeasures are activated by default. (The behaviour is configureable.) (credit: Anthon Pang)
- CVE-2011-400 – Cookie.php does not set login cookie’s secure flag for https login. (credit: Anthon Pang)
- CVE-2011-401 – Potential denial-of-service due to undeleted session files. This has been classified as a web server configuration error (e.g., default Debian configuration). Matomo (Piwik) mitigates by setting session.gc_probability, if unset.