CVE-2019-12215

Name of the Vulnerable Software and Affected Versions Matomo version 3.9.1

Description A full path disclosure issue was discovered, allowing a user to trigger an error and discover the full path of Matomo on the disk. This occurs because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig. The vendor disputes the significance of this issue.

Recommendations For Matomo version 3.9.1, consider modifying the safemode.twig template to avoid disclosing the full path when an error occurs, or restrict access to the CorePluginsAdmin plugin until a fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.