Matomo Response to CVE-2011-3791

The path disclosure weakness described in CVE-2011-3791 does not affect Matomo (Piwik) 1.1.

Beginning with Matomo 0.6.3 (released June 2010), the installer creates Apache .htaccess and IIS web.config files to
prevent direct access to .php files. Users upgrading from an earlier beta version of Matomo, or using a different web server, should consult their web server’s configuration guide.

Please note “path disclosure vulnerabilities” do not qualify for Matomo’s Security Bug Bounty Program.

Reference: CVE-2011-3791

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email