Vulnerabilities > Matomo > Matomo > High

DATE CVE VULNERABILITY TITLE RISK
2015-11-16 CVE-2015-7816 Unspecified vulnerability in Matomo
The DisplayTopKeywords function in plugins/Referrers/Controller.php in Piwik before 2.15.0 allows remote attackers to conduct PHP object injection attacks, conduct Server-Side Request Forgery (SSRF) attacks, and execute arbitrary PHP code via a crafted HTTP header.
network
low complexity
matomo
7.5
2015-11-16 CVE-2015-7815 Path Traversal vulnerability in Matomo
Directory traversal vulnerability in core/ViewDataTable/Factory.php in Piwik before 2.15.0 allows remote attackers to include and execute arbitrary local files via the viewDataTable parameter.
network
low complexity
matomo CWE-22
7.5
2009-12-24 CVE-2009-4137 Improper Input Validation vulnerability in Matomo
The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the __destruct function in the Piwik_Config class; php://filter URIs; the __destruct functions in Zend Framework, as demonstrated by the Zend_Log destructor; the shutdown functions in Zend Framework, as demonstrated by the Zend_Log_Writer_Mail class; the render function in the Piwik_View class; Smarty templates; and the _eval function in Smarty.
network
low complexity
matomo CWE-20
7.5
2009-12-22 CVE-2009-4140 Remote PHP Code Execution vulnerability in Open Flash Chart 'ofc_upload_image.php'
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.
network
low complexity
teethgrinder-co-uk matomo
7.5