Notification

Urchin WebAnalytics Software is discontinued and is no longer supported. All Urchin documentation applies only to the Urchin product as it was at the time of discontinuation, and does not apply to any Google Analytics products or services.

Cross Site Scripting (XSS) Vulnerability in Urchin 5.703 and earlier

Overview

A cross site scripting (XSS) vulnerability exists in the login page for all versions of Urchin 5 up to and including 5.703.

Impact on Urchin Customers

This vulnerability can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of the site running Urchin.

Mitigation

A fix is available in the form of a drop-in replacement for the Urchin template file that contains the vulnerability. ZIP packages that contain the updated template file and installation instructions are available from download.urchin.com as:

Urchin 5 customers are strongly encouraged to apply this fix to all installed instances of Urchin 5.703.

Side Effect of Fix

Though this fix does not in any way affect the core functionality or accuracy of Urchin 5, it does introduce a slight session-specific behavioral change to the product. Previously, Urchin 5 would remember the Urchin screen that a user was on and would restore the user to that screen after a session timeout. After applying the fix, Urchin will no longer restore users back to the current Urchin screen; users will be taken to the default profile view landing page instead.

true
Search
Clear search
Close search
Main menu
9260903259047483112
true
Search Help Center
true
true
true
false
false