@mattab opened this issue on September 2nd 2015

It is possible to display custom text content on any Piwik instance as follows:

Reported to security team:

http://demo.piwik.org is vulnerable to
Content spoofing and exploitable to all users.

*Description:-* Content Spoofing An attack technique used to trick a
user into thinking that fake web site content is legitimate data and
is an attack targeting a user made possible by an injection
vulnerability in a web application. When an application does not
properly handle user supplied data, an attacker can supply content
to a web application, typically via a parameter value, that is
reflected back to the user.

Vulnerable URL- 

(Text Here)

I wanted to publicly acknowledge this limited security issue - maybe you have a suggestion on how this should be fixed, or whether we should fix it at all?

@haseebeqx commented on September 6th 2015

its not a security issue. it is a bug in the code simple code rearrange will fix this issue. created a pull request #8719 which will fix this

@sgiehl commented on September 6th 2015

fixed with #8719

This issue was closed on September 6th 2015
Powered by GitHub Issue Mirror