A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig. NOTE: the vendor disputes the significance of this issue, stating "avoid reporting path disclosures, as we don't consider them as security vulnerabilities.
References
Link | Resource |
---|---|
https://github.com/matomo-org/matomo/issues/14464 | Exploit Third Party Advisory |
Configurations
History
07 Nov 2023, 03:03
Type | Values Removed | Values Added |
---|---|---|
Summary | A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig. NOTE: the vendor disputes the significance of this issue, stating "avoid reporting path disclosures, as we don't consider them as security vulnerabilities. |
Information
Published : 2019-05-20 16:29
Updated : 2024-08-05 00:15
NVD link : CVE-2019-12215
Mitre link : CVE-2019-12215
CVE.ORG link : CVE-2019-12215
JSON object : View
Products Affected
matomo
- matomo
CWE
CWE-209
Generation of Error Message Containing Sensitive Information