Vulnerability from drupal
Published
2025-01-29 08:51
Modified
2025-03-31 22:04
Summary
Details

This module enables you to add the Matomo web statistics tracking system to your website.

The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website.

The module does not protect against Cross Site Request Forgeries on routes to enable or disable containers.

This vulnerability is mitigated by the fact that:

  • The website needs to have the submodule "Matomo Analytics Tag Manager" enabled.
  • An attacker must know the machine name of the container.
Credits
Ivo Van Geertruyen www.drupal.org/user/383424
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.24.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/matomo"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.24.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2025-31680"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/383424"
      ],
      "name": "Ivo  Van Geertruyen"
    }
  ],
  "details": "This module enables you to add the Matomo web statistics tracking system to your website.\n\nThe Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website.\n\nThe module does not protect against Cross Site Request Forgeries on routes to enable or disable containers.\n\nThis vulnerability is mitigated by the fact that:\n\n* The website needs to have the submodule \"Matomo Analytics Tag Manager\" enabled.\n* An attacker must know the machine name of the container.",
  "id": "DRUPAL-CONTRIB-2025-008",
  "modified": "2025-03-31T22:04:11.000Z",
  "published": "2025-01-29T08:51:50.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-008"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.