CVSS: 9.1EPSS: 1%CPEs: 6EXPL: 0CVE-2010-2786
https://notcve.org/view.php?id=CVE-2010-2786
02 Aug 2010 — Directory traversal vulnerability in Piwik 0.6 through 0.6.3 allows remote attackers to include arbitrary local files and possibly have unspecified other impact via directory traversal sequences in a crafted data-renderer request. Vulnerabilidad de salto de directorio en Piwik 0.6 a 0.6.3 permite a atacantes remotos incluir ficheros locales de su elección y posiblemente tener otro impacto no especificado a través de secuencias de salto de directorio en una petición manipulada data-renderer. • http://marc.info/?l=oss-security&m=128032989120346&w=2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 51EXPL: 1CVE-2010-1453 – Piwik 0.5.5 - 'form_url' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-1453
07 May 2010 — Cross-site scripting (XSS) vulnerability in the Login form in Piwik 0.1.6 through 0.5.5 allows remote attackers to inject arbitrary web script or HTML via the form_url parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el formulario de login en Piwik v0.1.6 hasta v0.5.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro "form_url". • https://www.exploit-db.com/exploits/33814 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 6%CPEs: 8EXPL: 1CVE-2009-4137
https://notcve.org/view.php?id=CVE-2009-4137
24 Dec 2009 — The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the __destruct function in the Piwik_Config class; php://filter URIs; the __destruct functions in Zend Framework, as demonstrated by the Zend_Log destructor; the shutdown functions in Zend Framework, as demonstrated by the Zend_Log_Writer_Mail ... • https://github.com/Alexeyan/CVE-2009-4137 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 97%CPEs: 11EXPL: 10CVE-2009-4140 – Various Affected Software (Various Versions) - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2009-4140
21 Oct 2009 — Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upl... • https://packetstorm.news/files/id/123783 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2009-1085
https://notcve.org/view.php?id=CVE-2009-1085
25 Mar 2009 — Piwik 0.2.32 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the API key and other sensitive information via a direct request for misc/cron/archive.sh. Piwik v0.2.32 y anterioes almacenan información sensible bajo en directorio raíz Web con control de acceso insuficiente, lo que permite a atacantes remotos conseguir la clave API y otra información sensible a través de una petición directa de misc/cron/archive.sh. • http://dev.piwik.org/trac/ticket/599 • CWE-264: Permissions, Privileges, and Access Controls •