Vulnerabilities > Matomo

DATE CVE VULNERABILITY TITLE RISK
2020-12-08 CVE-2020-29578 Unspecified vulnerability in Matomo Piwik Fpm-Alpine Docker Image
The official piwik Docker images before fpm-alpine (Alpine specific) contain a blank password for a root user.
network
low complexity
matomo
critical
10.0
2019-11-20 CVE-2013-0195 Cross-Site Scripting vulnerability in Matomo
Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
matomo CWE-79
4.3
2019-11-20 CVE-2013-0194 Cross-Site Scripting vulnerability in Matomo
Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
matomo CWE-79
4.3
2019-11-20 CVE-2013-0193 Cross-Site Scripting vulnerability in Matomo
Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
matomo CWE-79
4.3
2019-05-20 CVE-2019-12215 Information Exposure Through AN Error Message vulnerability in Matomo 3.9.1
** DISPUTED ** A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig.
network
low complexity
matomo CWE-209
4.0
2015-11-16 CVE-2015-7816 Unspecified vulnerability in Matomo
The DisplayTopKeywords function in plugins/Referrers/Controller.php in Piwik before 2.15.0 allows remote attackers to conduct PHP object injection attacks, conduct Server-Side Request Forgery (SSRF) attacks, and execute arbitrary PHP code via a crafted HTTP header.
network
low complexity
matomo
7.5
2015-11-16 CVE-2015-7815 Path Traversal vulnerability in Matomo
Directory traversal vulnerability in core/ViewDataTable/Factory.php in Piwik before 2.15.0 allows remote attackers to include and execute arbitrary local files via the viewDataTable parameter.
network
low complexity
matomo CWE-22
7.5
2013-03-21 CVE-2013-2633 Improper Input Validation vulnerability in Matomo
Piwik before 1.11 accepts input from a POST request instead of a GET request in unspecified circumstances, which might allow attackers to obtain sensitive information by leveraging the logging of parameters.
network
low complexity
matomo CWE-20
5.0
2013-03-21 CVE-2013-1844 Cross-Site Scripting vulnerability in Matomo
Cross-site scripting (XSS) vulnerability in Piwik before 1.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
matomo CWE-79
4.3
2012-11-19 CVE-2012-4541 Cross-Site Scripting vulnerability in Matomo
Cross-site scripting (XSS) vulnerability in Piwik before 1.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
matomo CWE-79
4.3