Matomo 0.6 – Security Advisory to CVE-2010-1453

A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted … Read More

Matomo Response to Zend Framework Security Advisory ZF2010-01

Matomo (Piwik) 0.5.4 (released Dec. 18, 2009) and earlier versions are not affected by this security advisory to Zend_Log (disclosed Jan. 11, 2010) because Matomo uses UTF-8. Furthermore, Matomo (Piwik) is not affected by security advisories ZF2010-02 through ZF2010-06 because … Read More

Matomo 0.5, response to “Shocking News in PHP Exploitation”

The Matomo (Piwik) project acknowledges its exposure to the cookie exploit vulnerability described in Stefan Esser’s presentation, “Shocking News in PHP Exploitation“. The potential security vulnerability exists in all versions of Matomo (Piwik) prior to version 0.5. While no exploit … Read More

Matomo 0.4.4, response to Secunia Advisory SA37078

The Matomo (Piwik) project confirms that a potential vulnerability exists due to a file included in a third-party library. The vulnerability is exploitable whether or not the web site has the PHP configuration directive register_globals=On. The list of affected Matomo … Read More

Matomo 0.2.33, response to CVE-2009-1085

Reference: CVE-2009-1085 dated 03/25/2009 Contrary to the advisory, the Matomo (Piwik) project did not “confirm” this “vulnerability”. We have classified this issue as user error. The subject file, “misc/cron/archive.sh”, was intended to be a sample shell script. By default, archiving … Read More

Any questions?

Many answers and more information about Matomo you can find here:

We are social

Follow us: