[Security-news] Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008
security-news at drupal.org
security-news at drupal.org
Wed Jan 29 17:48:53 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-008
Project: Matomo Analytics [1]
Date: 2025-January-29
Security risk: *Moderately critical* 11 ∕ 25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site request forgery
Affected versions: <1.24.0
Description:
This module enables you to add the Matomo web statistics tracking system to
your website.
The Matomo Analytics Tag Manager sub-module allows you to add one or more
Matomo tag containers on your website.
The module does not protect against Cross Site Request Forgeries on routes to
enable or disable containers.
This vulnerability is mitigated by the fact that:
* The website needs to have the submodule "Matomo Analytics Tag Manager"
enabled.
* An attacker must know the machine name of the container.
Solution:
Install the latest version:
* If you use the Matomo Analytics module 8.x-1.23 and below, upgrade to
Matomo Analytics 8.x-1.24 [3]
Reported By:
* Ivo Van Geertruyen [4] of the Drupal Security Team
Fixed By:
* Ivo Van Geertruyen [5] of the Drupal Security Team
* Florent Torregrosa [6]
Coordinated By:
* Ivo Van Geertruyen [7] of the Drupal Security Team
[1] https://www.drupal.org/project/matomo
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/matomo/releases/8.x-1.24
[4] https://www.drupal.org/user/383424
[5] https://www.drupal.org/user/383424
[6] https://www.drupal.org/user/2388214
[7] https://www.drupal.org/user/383424
More information about the Security-news
mailing list