A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted …
Matomo (Piwik) 0.5.4 (released Dec. 18, 2009) and earlier versions are not affected by this security advisory to Zend_Log (disclosed Jan. 11, 2010) because Matomo uses UTF-8. Furthermore, Matomo is not affected by security advisories ZF2010-02 through ZF2010-06 because Matomo …
The Matomo (Piwik) project acknowledges its exposure to the cookie exploit vulnerability described in Stefan Esser’s presentation, “Shocking News in PHP Exploitation“. The potential security vulnerability exists in all versions of Matomo prior to version 0.5. While no exploit code …
The Matomo (Piwik) project confirms that a potential vulnerability exists due to a file included in a third-party library. The vulnerability is exploitable whether or not the web site has the PHP configuration directive register_globals=On. The list of affected Matomo …
Reference: CVE-2009-1085 dated 03/25/2009 Contrary to the advisory, the Matomo (Piwik) project did not “confirm” this “vulnerability”. We have classified this issue as user error. The subject file, “misc/cron/archive.sh”, was intended to be a sample shell script. By default, archiving …
ZF2009-02: XSS vector in Zend_Filter_StripTags Matomo (Piwik) 0.2.33 (released Mar. 2, 2009) and earlier versions are not affected by this security advisory (disclosed Mar. 2, 2009) because Matomo uses a subset of ZF which does not include Zend_Filter. Matomo users …
ZF2009-01: LFI vector in Zend_View::setScriptPath() and render() Matomo (Piwik) 0.2.31 (released Feb 18, 2009) and earlier versions are not affected by this security advisory (disclosed Feb. 17, 2009) because Matomo uses a subset of ZF which does not include Zend_View. …