Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-January-29
Security risk:
Vulnerability:
Cross site request forgery
Affected versions:
<1.24.0
CVE IDs:
CVE-2025-31680
Description:
This module enables you to add the Matomo web statistics tracking system to your website.
The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website.
The module does not protect against Cross Site Request Forgeries on routes to enable or disable containers.
This vulnerability is mitigated by the fact that:
- The website needs to have the submodule "Matomo Analytics Tag Manager" enabled.
- An attacker must know the machine name of the container.
Solution:
Install the latest version:
- If you use the Matomo Analytics module 8.x-1.23 and below, upgrade to Matomo Analytics 8.x-1.24
Reported By:
- Ivo Van Geertruyen of the Drupal Security Team
Fixed By:
- Ivo Van Geertruyen of the Drupal Security Team
- Florent Torregrosa
Coordinated By:
- Ivo Van Geertruyen of the Drupal Security Team
