The path disclosure weakness described in CVE-2011-3791 does not affect Matomo (Piwik) 1.1. Beginning with Matomo 0.6.3 (released June 2010), the installer creates Apache .htaccess and IIS web.config files to prevent direct access to .php files. Users upgrading from an …
The Matomo (Piwik) 1.5 release addresses a critical security vulnerability, which affect all Matomo users that have let granted some access to the “anonymous” user. Users should upgrade immediately. Description Matomo 1.5 contains a remotely exploitable vulnerabiliy that could allow …
Multiple XSS vulnerabilties are fixed by the Matomo (Piwik) 1.1 release. Description: CVE-2011-004. Matomo versions prior to 1.1 are vulnerable to multiple XSS vulnerabilities, both persistent and reflected. This security update is rated critical, and Matomo users are strongly encouraged …
Sites using the APS package of Matomo (Piwik) 0.5.4 (which we are referring to as, “Matomo Remix by Parallels”, per our trademark policy) may be vulnerable to a shared salt value which may allow an attacker to spoof trusted cookies …
No Matomo (Piwik) releases up to and including Matomo 0.6.4 are affected by this advisory as the Dojo bundle is not included in the Matomo distribution (or svn). Matomo users are, however, encouraged to upgrade to the latest version to …
An arbitrary file inclusion vulnerability is fixed by the latest Matomo (Piwik) 0.6.4 release. Description: Matomo versions 0.6 through 0.6.3 are vulnerable to arbitrary, remote file inclusion using a directory traversal pattern in a crafted request for a data renderer. …
A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted …
Matomo (Piwik) 0.5.4 (released Dec. 18, 2009) and earlier versions are not affected by this security advisory to Zend_Log (disclosed Jan. 11, 2010) because Matomo uses UTF-8. Furthermore, Matomo is not affected by security advisories ZF2010-02 through ZF2010-06 because Matomo …
The Matomo (Piwik) project acknowledges its exposure to the cookie exploit vulnerability described in Stefan Esser’s presentation, “Shocking News in PHP Exploitation“. The potential security vulnerability exists in all versions of Matomo prior to version 0.5. While no exploit code …
The Matomo (Piwik) project confirms that a potential vulnerability exists due to a file included in a third-party library. The vulnerability is exploitable whether or not the web site has the PHP configuration directive register_globals=On. The list of affected Matomo …