DaSchTour matomo-mediawiki-extension Username Piwik.hooks.php cross site scripting
Description
A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2 on MediaWiki. This affects an unknown part of the file Piwik.hooks.php of the component Username Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.4.3 is able to address this issue. The patch is named 681324e4f518a8af4bd1f93867074c728eb9923d. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220203.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in DaSchTour matomo-mediawiki-extension up to 2.4.2 allows remote attackers to inject arbitrary JavaScript via crafted usernames.
Vulnerability
Description A cross-site scripting (XSS) issue exists in the matomo-mediawiki-extension (formerly Piwik) for MediaWiki, up to version 2.4.2. The flaw resides in the Piwik.hooks.php file within the Username Handler component. Improper sanitization of usernames enables an attacker to inject malicious scripts [1].
Exploitation
Exploitation requires a specially-crafted username, such as 0'+(window.alert('You have been hacked'))+'0, which, when processed by the extension, executes arbitrary JavaScript in the context of the victim's session [4]. The attack is remote but has a high complexity rating, meaning it is not easily exploitable [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code in the browser of any user viewing pages that display the crafted username. This could lead to session hijacking, defacement, or theft of sensitive information [4].
Mitigation
The issue is resolved in version 2.4.3 of the extension, which includes the commit 681324e4f518a8af4bd1f93867074c728eb9923d that properly escapes usernames before output [3]. Users are strongly advised to upgrade to this version or later to mitigate the risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/matomoPackagist | < 2.4.3 | 2.4.3 |
Affected products
3<=2.4.2+ 1 more
- (no CPE)range: <=2.4.2
- (no CPE)range: 2.4.0
Patches
1681324e4f518SECURITY: XSS when $wgPiwikTrackUsernames is true
1 file changed · +2 −2
Piwik.hooks.php+2 −2 modified@@ -82,8 +82,8 @@ public static function AddPiwik ($title) { // name for anonymous visitors is their IP address which Piwik already // records. if ($wgPiwikTrackUsernames && $wgUser->isLoggedIn()) { - $username = $wgUser->getName(); - $customJs .= PHP_EOL . " _paq.push(['setUserId','{$username}']);"; + $username = Xml::encodeJsVar( $wgUser->getName() ); + $customJs .= PHP_EOL . " _paq.push([\"setUserId\",{$username}]);"; } // Check if server uses https
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/DaSchTour/matomo-mediawiki-extension/commit/681324e4f518a8af4bd1f93867074c728eb9923dghsapatchWEB
- github.com/DaSchTour/matomo-mediawiki-extension/releases/tag/v2.4.3ghsapatchWEB
- github.com/DaSchTour/matomo-mediawiki-extension/pull/17ghsaexploitissue-trackingWEB
- github.com/advisories/GHSA-hc67-v29c-7g78ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-20175ghsaADVISORY
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.