CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38766 – WordPress Matomo Analytics plugin <= 5.1.1 - Cross Site Request Forgery (CSRF) leading to Notice Dismissal vulnerability
https://notcve.org/view.php?id=CVE-2024-38766
12 Jul 2024 — Cross-Site Request Forgery (CSRF) vulnerability in Matomo Matomo Analytics allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through 5.1.1. The Matomo Analytics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to dismiss notices via a forged request granted they can trick a site administrator into perfo... • https://patchstack.com/database/wordpress/plugin/matomo/vulnerability/wordpress-matomo-analytics-plugin-5-1-0-cross-site-request-forgery-csrf-leading-to-notice-dismissal-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12215
https://notcve.org/view.php?id=CVE-2019-12215
20 May 2019 — A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig. NOTE: the vendor disputes the significance of this issue, stating "avoid reporting path disclosures, as we don't consider them as security vulnerabilities. ** EN DISPUTA ** Se descubrió una vulnerabilidad de divulgación de ruta completa en Matomo v3.9.1, donde un us... • https://github.com/matomo-org/matomo/issues/14464 • CWE-209: Generation of Error Message Containing Sensitive Information •