logo

Database

Server side template injection In drupal/matomo

Description

This module enables you to add the Matomo web statistics tracking system to your website.

The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. OSV-DRUPAL-CONTRIB-2023-0332. GCVE-DRUPAL-CONTRIB-2023-0333. drupal.org

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.