[IT-SecNots] [Security-news] Piwik PRO - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-058

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-058

Project: Piwik PRO [1]
Date: 2025-May-14
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Affected versions: <1.3.2
CVE IDs: CVE-2025-4415
Description: 
This module enables you to add the Piwik Pro web statistics tracking system
to your website.

The module does not check the JS code that is loaded on the website. So a
user with the "Administer Piwik Pro" permission could configure the module to
load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer piwik pro" to access the settings form where
this can be configured.

Solution: 
Install the latest version:

 * If you use the Piwik Pro module, upgrade to Piwik Pro 1.3.2 [3]

Sites are encouraged to review which roles have that permission and which
users have that role, to ensure that only trusted users have that permission.

Reported By: 
 * Pierre Rudloff (prudloff) [4]

Fixed By: 
 * Hartsak  (hartsak) [5]
 * Josha Hubbers (joshahubbers) [6]

Coordinated By: 
 * Juraj Nemec (poker10) [7] of the Drupal Security Team
 * Pierre Rudloff (prudloff) [8]


[1] https://www.drupal.org/project/piwik_pro
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/piwik_pro/releases/1.3.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/hartsak
[6] https://www.drupal.org/u/joshahubbers-0
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/prudloff

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news