[IT-SecNots] [Security-news] Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-008

Project: Matomo Analytics [1]
Date: 2025-January-29
Security risk: *Moderately critical* 11 ∕ 25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site request forgery

Affected versions: <1.24.0
Description: 
This module enables you to add the Matomo web statistics tracking system to
your website.

The Matomo Analytics Tag Manager sub-module allows you to add one or more
Matomo tag containers on your website.

The module does not protect against Cross Site Request Forgeries on routes to
enable or disable containers.

This vulnerability is mitigated by the fact that:

  * The website needs to have the submodule "Matomo Analytics Tag Manager"
    enabled.
  * An attacker must know the machine name of the container.

Solution: 
Install the latest version:

  * If you use the Matomo Analytics module 8.x-1.23 and below, upgrade to
    Matomo Analytics 8.x-1.24 [3]

Reported By: 
  * Ivo  Van Geertruyen [4] of the Drupal Security Team

Fixed By: 
  * Ivo  Van Geertruyen [5] of the Drupal Security Team
  * Florent Torregrosa [6]

Coordinated By: 
  * Ivo  Van Geertruyen [7] of the Drupal Security Team


[1] https://www.drupal.org/project/matomo
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/matomo/releases/8.x-1.24
[4] https://www.drupal.org/user/383424
[5] https://www.drupal.org/user/383424
[6] https://www.drupal.org/user/2388214
[7] https://www.drupal.org/user/383424

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news