View online: https://www.drupal.org/sa-contrib-2025-008

Project: Matomo Analytics [1] Date: 2025-January-29 Security risk: *Moderately critical* 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site request forgery

Affected versions: <1.24.0 Description:  This module enables you to add the Matomo web statistics tracking system to your website.

The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website.

The module does not protect against Cross Site Request Forgeries on routes to enable or disable containers.

This vulnerability is mitigated by the fact that:

* The website needs to have the submodule "Matomo Analytics Tag Manager" enabled. * An attacker must know the machine name of the container.

Solution:  Install the latest version:

* If you use the Matomo Analytics module 8.x-1.23 and below, upgrade to Matomo Analytics 8.x-1.24 [3]

Reported By:  * Ivo Van Geertruyen [4] of the Drupal Security Team

Fixed By:  * Ivo Van Geertruyen [5] of the Drupal Security Team * Florent Torregrosa [6]

Coordinated By:  * Ivo Van Geertruyen [7] of the Drupal Security Team

[1] https://www.drupal.org/project/matomo [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/matomo/releases/8.x-1.24 [4] https://www.drupal.org/user/383424 [5] https://www.drupal.org/user/383424 [6] https://www.drupal.org/user/2388214 [7] https://www.drupal.org/user/383424