D7ES PSA relating to SA-CONTRIB-2023-033 impacting Piwik

SA-CONTRIB-2023-033 communicates a security issue in the Matomo Analytics module.

The Piwik module was replaced by this module, and the last published release of Piwik, 7.x-2.12, is not affected. This PSA is for anyone continuing to use Piwik 7.x-2.11 or earlier.

The Piwik module allows injecting custom JS into every page (essentially allowing XSS by design). The security issue reported was that the 'administer piwik' permission, which allows this action to be taken, is not flagged with the additional warning about only granting to trusted users.

Solution:

We recommend that users of Piwik 7.x-2.11 and earlier either update to 7.x-2.12 (renamed to Matomo), or ensure that this permission is granted only to trusted users.