Thursday, Aug 3rd, 2023
Advisory ID: 
Security risk: 
Less Critical
Cross Site Scripting
Versions affected: 
  • Matomo versions prior to 2.12.2

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" to access the settings forms where this can be configured.


Upgrade your site to the most recent version of the Matomo module. Download available on the Matomo 1.x-2.12.2 release page.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form