Matomo is a set of open source website access statistics system based on PHP + MySQL technology, which can provide detailed statistical information, such as the number of page views, the most visited pages, search engine keywords and other traffic analysis functions.

Matomo 4.12 is officially released, this is a maintenance release that improves the reliability and stability of Matomo, and also includes some important features and improvements. The specific updates of Matomo 4.12 are as follows:

Safe version

This is a major security release. Several medium and low impact security fixes are included in this release. Moderate impact fixes include preventing XSS vulnerabilities when using the Widgetize plugin – the possibility of injecting javascript code via angular templates, and an issue where anonymous users can export CSV reports, which when imported into Microsoft Excel or similar applications Inject commands in reports.

Low-impact security improvements include usingtoken_authChecks the two-factor authentication (2FA) status of API requests for the current session, and additional escaping in the Overlay module to prevent possible XSS attacks.

Platform changes

• groundbreaking change
  • when passed UsersManager.deleteUser A new parameter when the API uses session authentication to delete a user passwordConfirmation Needs to be sent with the request and contains the current password of the user making the API request.
  • when passed UsersManager.addUser A new parameter when the API uses session authentication to add a user passwordConfirmation Needs to be sent with a request containing the current password of the user making the API request.
  • when passed UsersManager.invertUser A new parameter when the API uses session authentication to invite a user passwordConfirmation Needs to be sent with a request containing the current password of the user making the API request.
• new php event
  • Added new events Login.userRequiresPasswordConfirmationwhich can be used in login plugins to circumvent password confirmation in the user interface and certain API methods
  • when passed SitesManager.deleteSite A new parameter when the API uses session authentication to delete a site passwordConfirmation Needs to be sent with the request and contains the current password of the user making the API request.
• New privacy opt-out option
  • The iframe opt-out UI for the Privacy Manager has been replaced to generate a JavaScript opt-out code that uses the Matomo tracker, the existing iframe opt-out will still work, but the iframe opt-out code will no longer be generated by the UI as most major browsers Stopping support for third-party cookies in iframes.

New and updated SDKs

Matomo team provides official SDK (Tracking API Clients) for monitoring your mobile app and any other kind of app.

More details can be found here: https://matomo.org/changelog/matomo-4-12-0/