Ricochet super-team Stephen Pope and Rick Destree were invaluable in upgrading the functionalities of the MarketTools corporate website, helping us implement new design elements and site structure, and launching a new website on very short notice when our business unit was acquired by Confirmit. Along the way, they taught me a lot about Drupal! Stephen’s help was critical in dealing with some difficult pre-existing server environment issues, and he went the extra mile many times to get us past the crunch points. I absolutely recommend Stephen and his team!
—Laura Newton

Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008

Wed, 2025-01-29 00:51 — Anonymous (not verified)

Project: Matomo AnalyticsDate: 2025-January-29Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site request forgeryAffected versions: <1.24.0Description: This module enables you to add the Matomo web statistics tracking system to your website.
The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website.
The module does not protect against Cross Site Request Forgeries on routes to enable or disable containers.
This vulnerability is mitigated by the fact that:

The website needs to have the submodule "Matomo Analytics Tag Manager" enabled.
An attacker must know the machine name of the container.

Solution: Install the latest version:

If you use the Matomo Analytics module 8.x-1.23 and below, upgrade to Matomo Analytics 8.x-1.24

Reported By:

Ivo Van Geertruyen of the Drupal Security Team

Fixed By:

Ivo Van Geertruyen of the Drupal Security Team
Florent Torregrosa

Coordinated By:

Ivo Van Geertruyen of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-008

Search form

Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008