Anthon Pang

**Name of the Vulnerable Software and Affected Versions** Piwik versions 0.1.6 through 0.5.5 **Description** A cross-site scripting (XSS) issue exists in the Login form, allowing remote attackers to inject arbitrary web script or HTML via the `form url` parameter. **Recommendations** For versions 0.1.6 through 0.5.5, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Open Flash Chart versions 2 Beta 1 through 2 Piwik versions 0.2.35 through 0.4.3 Woopra Analytics Plugin versions prior to 1.4.3.2 **Description** The issue allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the `name` parameter with the code in the `HTTP RAW POST DATA` parameter, then accessing it via a direct request to the file in tmp-upload-images/. This is possible when register globals is enabled. **Recommendations** For Open Flash Chart versions 2 Beta 1 through 2, restrict access to the ofc upload image.php file to prevent unauthorized uploads. For Piwik versions 0.2.35 through 0.4.3, update the Woopra Analytics Plugin to version 1.4.3.2 or later to mitigate the risk. For Woopra Analytics Plugin versions prior to 1.4.3.2, update to version 1.4.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the register globals setting until a patch is available.