Matomo 0.6 – Security Advisory to CVE-2010-1453

Contents

A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Matomo users are encouraged to update to the latest version of Matomo. This issue exists in Matomo versions 0.1.6 through 0.5.5.

In Matomo 0.6, the form_url parameter has been removed.

References:

  • CVE-2010-1453 – Login Form XSS
Enjoyed this post?
Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month
Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.

Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.