Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: piwik before 1.6
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 19 Mar 2012 12:17:28 -0600

On 03/18/2012 01:20 AM, Henri Salo wrote:
This case is still not handled. Information from the URL:

The Piwik 1.5 release addresses a critical security vulnerability, which affect all Piwik users that have let granted 
some access to the "anonymous" user. Users should upgrade immediately.

Piwik 1.5 contains a remotely exploitable vulnerabiliy that could allow a remote attacker to execute arbitrary code. 
Only Installations that have granted untrusted view access to their stats (ie. grant "view" access to a website to 
anonymous) are at risk.

CVE ID: not yet assigned
Known Versions Affected: Piwik 1.2, 1.3, and 1.4

This issue was disclosed to us privately and safely. Our thanks to Neal Poole for discovering and reporting the issue 
to the Piwik Security Team. Neal is the first bounty recipient of Piwik's Security Bug Bounty program.

This release also includes Zend Framework 1.11.6 which addresses a potential SQL injection vector when using 
PDO_MySql. Piwik users should be unaffected as it has used UTF-8 since Piwik 0.5.

- Henri Salo


Please use CVE-2011-4941 for this issue.

Kurt Seifried Red Hat Security Response Team (SRT)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]