Date: 
Thursday, Aug 3rd, 2023
Advisory ID: 
BACKDROP-SA-CONTRIB-2023-004
Security risk: 
Less Critical
Vulnerability: 
Cross Site Scripting
Versions affected: 
  • Matomo versions prior to 2.12.2
Description: 

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" to access the settings forms where this can be configured.

Solution: 

Upgrade your site to the most recent version of the Matomo module. Download available on the Matomo 1.x-2.12.2 release page.

Reported By: 
 
 
Fixed By: 
 
 
Coordinated By: 
 
 
 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to backdropcms.org
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive BackdropCMS.org security announcements for core and contrib projects"