Critical URL vulnerability when resending an invitation in Matomo 4.14.2

When resending an invitation the password confirmation is sent as a query string rather than in the POST payload. This will display the admin user’s password as clear text in the browser and in all the request logs.

Steps to reproduce:

1. Navigate to Admin / System / Users
2. Invite a new user
3. Click on Resend invite/Copy invite link
4. Confirm the password

The last step will do a POST request but sends the password as a part of the URL (example below) rather than in the payload

https://example.net/index.php?date=yesterday&module=API&format=json&method=UsersManager.resendInvite&userLogin=user%40example.net&passwordConfirmation=XXXXXXXX&segment=&idSite=1&period=day

The passwordConfirmation query string is visible and can be stored in the browser (regardless of the cache-control: must-revalidate header) and is stored in the server logs with the clear text password visible.

1 post - 1 participant

Read full topic