SQL injection: Release notes not sufficient


In the release notes you speak of SQL injection. It is very important to know details; is the issue only exploitable in certain circumstances? Authenticated or unauthenticated? You cannot drop a release, without specifying the attack vector better, without spreading panic.

An unauthenticated SQL injection is of course much more worse and would warrant shutting down Matomo tracking immediately until fixed. For authenticated injections, the impact can be much smaller, depending on the users of the system.

(Please remember this in future release notes)