Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Piwik XSS #1269

mattab opened this Issue · 5 comments

2 participants


I saw on twitter a Piwik XSS tweet pointing to

we should fix it and check other variables to ensure there is no xss left.

I re-enabled the sensitive ticket plugin for this one, and set it to sensitive, which seems to work.


(In [2038]) refs #1269


(In [2039]) refs #1269


(In [2047]) refs #1269


While [fixed the issue (by validating/filtering/escaping form_url), 2047 is a better solution -- it eliminates form_url entirely as a parameter/hidden form field.

I've drafted a blog entry for the security advisory and will request a CVE later for the 0.6 release.


I disabled the sensitivity plugin for now, also closing this.. please reopen if there is open issue.

@mattab mattab added this to the Piwik 0.6 milestone
@robocoder robocoder was assigned by mattab
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.