cve/CVE-2025-34104.md at b99156590a6b0c1cf0b374aa41887d37143570c8

admin/cve

mirror of https://github.com/0xMarcio/cve.git synced 2025-11-30 18:56:19 +00:00

0xMarcio cb00e1339f Update CVE list 2025-09-29 21:09

2025-09-29 21:09:30 +02:00

Description

An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file.

POC

Reference

https://www.vulncheck.com/advisories/piwik-authenticated-rce-via-custom-plugin-upload

Github

https://github.com/ARPSyndicate/cve-scores

1.2 KiB Raw Blame History

CVE-2025-34104

Description

POC

Reference

Github

1.2 KiB

Raw Blame History