CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38766 – WordPress Matomo Analytics plugin <= 5.1.1 - Cross Site Request Forgery (CSRF) leading to Notice Dismissal vulnerability
https://notcve.org/view.php?id=CVE-2024-38766
12 Jul 2024 — Cross-Site Request Forgery (CSRF) vulnerability in Matomo Matomo Analytics allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through 5.1.1. The Matomo Analytics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to dismiss notices via a forged request granted they can trick a site administrator into perfo... • https://patchstack.com/database/wordpress/plugin/matomo/vulnerability/wordpress-matomo-analytics-plugin-5-1-0-cross-site-request-forgery-csrf-leading-to-notice-dismissal-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33211 – WordPress WP-Piwik Plugin <= 1.0.27 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-33211
22 May 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in André Bräkling WP-Matomo Integration (WP-Piwik) plugin <= 1.0.27 versions. The WP-Piwik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin display name in versions up to, and including, 1.0.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a us... • https://patchstack.com/database/vulnerability/wp-piwik/wordpress-wp-matomo-integration-wp-piwik-plugin-1-0-27-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33156
https://notcve.org/view.php?id=CVE-2022-33156
12 Jul 2022 — The matomo_integration (aka Matomo Integration) extension before 1.3.2 for TYPO3 allows XSS. La extensión matomo_integration (también se conoce como Matomo Integration) versiones anteriores a 1.3.2 para TYPO3 permite un ataque de tipo XSS • https://typo3.org/security/advisory/typo3-ext-sa-2022-011 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2020-29578
https://notcve.org/view.php?id=CVE-2020-29578
08 Dec 2020 — The official piwik Docker images before fpm-alpine (Alpine specific) contain a blank password for a root user. Systems using the Piwik Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access. Las imágenes oficiales de piwik Docker anteriores a fpm-alpine (específicas de Alpine) contienen una contraseña en blanco para un usuario root. Los sistemas que usan el contenedor Piwik Docker implementado por las versiones afectadas de la imagen de Do... • https://github.com/koharin/koharin2/blob/main/CVE-2020-29578 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0195
https://notcve.org/view.php?id=CVE-2013-0195
20 Nov 2019 — Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0193 and CVE-2013-0194. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en Piwik versiones anteriores a 1.10.1, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados. NOTA: Esta es una vulnerabilidad diferente de CVE-2013-0193 y CVE-2013-0194. • http://www.openwall.com/lists/oss-security/2013/01/17/15 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0194
https://notcve.org/view.php?id=CVE-2013-0194
20 Nov 2019 — Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0193 and CVE-2013-0195. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en Piwik versiones anteriores a la versión 1.10.1, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados. NOTA: Esta es una vulnerabilidad diferente de CVE-2013-0193 y CVE-2013-0195. • http://www.openwall.com/lists/oss-security/2013/01/17/15 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0193
https://notcve.org/view.php?id=CVE-2013-0193
20 Nov 2019 — Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0194 and CVE-2013-0195. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en Piwik versiones anteriores a la versión 1.10.1, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados. NOTA: Esta es una vulnerabilidad diferente de CVE-2013-0194 y CVE-2013-0195. • http://www.openwall.com/lists/oss-security/2013/01/17/15 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12215
https://notcve.org/view.php?id=CVE-2019-12215
20 May 2019 — A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig. NOTE: the vendor disputes the significance of this issue, stating "avoid reporting path disclosures, as we don't consider them as security vulnerabilities. ** EN DISPUTA ** Se descubrió una vulnerabilidad de divulgación de ruta completa en Matomo v3.9.1, donde un us... • https://github.com/matomo-org/matomo/issues/14464 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 4CVE-2015-7816 – Piwik 2.14.3 PHP Object Injection
https://notcve.org/view.php?id=CVE-2015-7816
04 Nov 2015 — The DisplayTopKeywords function in plugins/Referrers/Controller.php in Piwik before 2.15.0 allows remote attackers to conduct PHP object injection attacks, conduct Server-Side Request Forgery (SSRF) attacks, and execute arbitrary PHP code via a crafted HTTP header. La función DisplayTopKeywords en plugins/Referrers/Controller.php en Piwik en versiones anteriores a 2.15.0 permite a atacantes remotos llevar a cabo ataques de inyección de objetos PHP, ejecutar ataques de SSRF y ejecutar código PHP arbitrario a... • https://packetstorm.news/files/id/134220 •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 4CVE-2015-7815 – Piwik 2.14.3 Local File Inclusion
https://notcve.org/view.php?id=CVE-2015-7815
04 Nov 2015 — Directory traversal vulnerability in core/ViewDataTable/Factory.php in Piwik before 2.15.0 allows remote attackers to include and execute arbitrary local files via the viewDataTable parameter. Vulnerabilidad de salto de directorio en core/ViewDataTable/Factory.php en Piwik en versiones anteriores a 2.15.0 permite a atacantes remotos incluir y ejecutar archivos locales arbitrarios a través del parámetro viewDataTable. Piwik version 2.14.3 and below suffer from a local file inclusion vulnerability. • https://packetstorm.news/files/id/134219 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •