Matomo Response to ZF2012-01 Security Advisory

The current version of Matomo (Piwik) (1.8.2) is not affected by this vulnerability. Matomo neither uses nor includes the XmlRpc component from Zend Framework. Matomo users are, however, encouraged to upgrade to the latest versions of Matomo and PHP to …

Read More

Matomo Response to ZF2011-02 Security Advisory

The current version of Matomo (Piwik) is not affected by this vulnerability. Since version 0.5 (released December 2009), Matomo checks (and sets, if required) the MySQL connection charset to UTF-8. Matomo users are, however, encouraged to upgrade to the latest …

Read More

Matomo Response to CVE-2011-3791

The path disclosure weakness described in CVE-2011-3791 does not affect Matomo (Piwik) 1.1. Beginning with Matomo 0.6.3 (released June 2010), the installer creates Apache .htaccess and IIS web.config files to prevent direct access to .php files. Users upgrading from an …

Read More

Matomo 1.5 – Security Advisory

The Matomo (Piwik) 1.5 release addresses a critical security vulnerability, which affect all Matomo users that have let granted some access to the “anonymous” user. Users should upgrade immediately. Description Matomo 1.5 contains a remotely exploitable vulnerabiliy that could allow …

Read More

Matomo 1.1 – Security Advisory

Multiple XSS vulnerabilties are fixed by the Matomo (Piwik) 1.1 release. Description: CVE-2011-004. Matomo versions prior to 1.1 are vulnerable to multiple XSS vulnerabilities, both persistent and reflected. This security update is rated critical, and Matomo users are strongly encouraged …

Read More

Matomo Response to ZF2010-07 Security Advisory

No Matomo (Piwik) releases up to and including Matomo 0.6.4 are affected by this advisory as the Dojo bundle is not included in the Matomo distribution (or svn). Matomo users are, however, encouraged to upgrade to the latest version to …

Read More

Matomo 0.6.4 Security Advisory CVE-2010-2786

An arbitrary file inclusion vulnerability is fixed by the latest Matomo (Piwik) 0.6.4 release. Description: Matomo versions 0.6 through 0.6.3 are vulnerable to arbitrary, remote file inclusion using a directory traversal pattern in a crafted request for a data renderer. …

Read More

Matomo 0.6 – Security Advisory to CVE-2010-1453

A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted …

Read More