Matomo 0.6 – Security Advisory to CVE-2010-1453

Contents

A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Matomo users are encouraged to update to the latest version of Matomo. This issue exists in Matomo versions 0.1.6 through 0.5.5.

In Matomo 0.6, the form_url parameter has been removed.

References:

  • CVE-2010-1453 – Login Form XSS
Recommended for you
Enjoyed this post?
Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month

Subscribe to our newsletter to receive regular information about Matomo. You can unsubscribe at any time from it. This service uses SendGrid. Learn more about it within our privacy Policy page.

Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

Try it free with email
Matomo On-Premise
Certified ISO 27001:2022

Certified ISO 27001:2022

Your analytics data is protected by globally recognised security standards.

Read more
Live websites using Matomo worldwide
0 K
Websites using Matomo including historical
0 M
Customer satisfaction
0 %

Own your data. Protect your privacy. Unlock better analytics.

Organisations should be able to understand their digital performance while mainteaning full ownership and control of their data.

Start Your Free Trial

No credit card required.