Update 2014: since this event occurred almost two years ago, we have made numerous improvements and added layers of security to ensure it does not happen again: The release packages are now hosted on a separate website at: builds.piwik.org. This …
The current version of Matomo (Piwik) (1.8.2) is not affected by this vulnerability. Matomo neither uses nor includes the XmlRpc component from Zend Framework. Matomo users are, however, encouraged to upgrade to the latest versions of Matomo and PHP to …
The current version of Matomo (Piwik) is not affected by this vulnerability. Since version 0.5 (released December 2009), Matomo checks (and sets, if required) the MySQL connection charset to UTF-8. Matomo users are, however, encouraged to upgrade to the latest …
The path disclosure weakness described in CVE-2011-3791 does not affect Matomo (Piwik) 1.1. Beginning with Matomo 0.6.3 (released June 2010), the installer creates Apache .htaccess and IIS web.config files to prevent direct access to .php files. Users upgrading from an …
The Matomo (Piwik) 1.5 release addresses a critical security vulnerability, which affect all Matomo users that have let granted some access to the « anonymous » user. Users should upgrade immediately. Description Matomo 1.5 contains a remotely exploitable vulnerabiliy that could allow …
Multiple XSS vulnerabilties are fixed by the Matomo (Piwik) 1.1 release. Description: CVE-2011-004. Matomo versions prior to 1.1 are vulnerable to multiple XSS vulnerabilities, both persistent and reflected. This security update is rated critical, and Matomo users are strongly encouraged …
Sites using the APS package of Matomo (Piwik) 0.5.4 (which we are referring to as, « Matomo Remix by Parallels », per our trademark policy) may be vulnerable to a shared salt value which may allow an attacker to spoof trusted cookies …
No Matomo (Piwik) releases up to and including Matomo 0.6.4 are affected by this advisory as the Dojo bundle is not included in the Matomo distribution (or svn). Matomo users are, however, encouraged to upgrade to the latest version to …
An arbitrary file inclusion vulnerability is fixed by the latest Matomo (Piwik) 0.6.4 release. Description: Matomo versions 0.6 through 0.6.3 are vulnerable to arbitrary, remote file inclusion using a directory traversal pattern in a crafted request for a data renderer. …
A non-persistent, cross-site scripting vulnerability (XSS) was found in Matomo’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Matomo (Piwik) user into visiting a Login URL crafted …