Piwik (now Matomo) Vulnerable to Cross-Site Scripting (XSS)
Cross-site scripting (XSS) vulnerability in Piwik before 1.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Advisories for Composer/Piwik/Piwik package
2022
Piwik (now Matomo) Vulnerable to Arbitrary Code Execution
Unspecified vulnerability in Piwik 1.2 through 1.4 allows remote attackers with the view permission to execute arbitrary code via unknown attack vectors.
Piwik (now Matomo) Reveals Sensitive Information by Accepting Input from `POST` Requests
Piwik before 1.11 accepts input from a POST request instead of a GET request in unspecified circumstances, which might allow attackers to obtain sensitive information by leveraging the logging of parameters.
2016
PHP Object Injection Vulnerability
There's a PHP Object Injection vulnerability that can be triggered through the saveLayout() method defined into the /plugins/Dashboard/Controller.php script. Since Piwik is not using "utf8mb4" collations for its database, this can be exploited in combination with a MySQL UTF8 truncation issue in order to corrupt the session array, allowing unauthenticated attackers to inject arbitrary PHP objects into the application scope and carry out Server-Side Request Forgery (SSRF) attacks, delete arbitrary …