DRUPAL-CONTRIB-2023-033

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/matomo/DRUPAL-CONTRIB-2023-033.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-033

Published

2023-08-02T18:59:27Z

Modified

2025-12-10T23:33:47.825308Z

Summary

[none]

Details

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured.

References

https://www.drupal.org/sa-contrib-2023-033

Credits

- Pierre Rudloff
- - https://www.drupal.org/user/3611858

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/matomo

Package

Name: drupal/matomo
Purl: pkg:composer/drupal/matomo

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.22.0

Database specific

{
    "constraint": "<1.22.0"
}

Database specific

affected_versions

"<1.22.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/matomo/DRUPAL-CONTRIB-2023-033.json"