Matomo 1.5 – Security Advisory

Contents

The Matomo (Piwik) 1.5 release addresses a critical security vulnerability, which affect all Matomo users that have let granted some access to the “anonymous” user. Users should upgrade immediately.

Description

Matomo 1.5 contains a remotely exploitable vulnerabiliy that could allow a remote attacker to execute arbitrary code. Only Installations that have granted untrusted view access to their stats (ie. grant “view” access to a website to anonymous) are at risk.

CVE: CVE-2011-4941
More information: osvdb.org/show/osvdb/73213
Known Versions Affected: Matomo 1.2, 1.3, and 1.4

Credits

This issue was disclosed to us privately and safely. Our thanks to Neal Poole for discovering and reporting the issue to the Matomo Security Team. Neal is the first bounty recipient of Matomo’s Security Bug Bounty program.

This release also includes Zend Framework 1.11.6 which addresses a potential SQL injection vector when using PDO_MySql. Matomo users should be unaffected as it has used UTF-8 since Matomo 0.5.

Enjoyed this post?
Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month
Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.

Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.