Cross-site Scripting in SEOmatic plugin

2022-06-1300:00:19

Google

osv.dev

0.001 Low

EPSS

Percentile

42.2%

JSON

A cross-site scripting (XSS) vulnerability in the SEOmatic plugin 3.4.10 for Craft CMS 3 allows remote attackers to inject arbitrary web script via a GET to /index.php?action=seomatic/file/seo-file-link with url parameter containing the base64 encoded URL of a malicious web page / file and fileName parameter containing an arbitrary filename with the intended content-type to be rendered in the user’s browser as the extension.

CPENameOperatorVersion
nystudio107/craft-seomaticeq3.1.1
nystudio107/craft-seomaticeq3.2.25
nystudio107/craft-seomaticeq3.3.36
nystudio107/craft-seomaticeq3.0.0-beta.15
nystudio107/craft-seomaticeq3.1.14
nystudio107/craft-seomaticeq3.1.47
nystudio107/craft-seomaticeq3.3.3
nystudio107/craft-seomaticeq3.3.35
nystudio107/craft-seomaticeq3.0.25
nystudio107/craft-seomaticeq3.1.3

Name	Operator	Version
nystudio107/craft-seomatic	eq	3.1.1
nystudio107/craft-seomatic	eq	3.2.25
nystudio107/craft-seomatic	eq	3.3.36
nystudio107/craft-seomatic	eq	3.0.0-beta.15
nystudio107/craft-seomatic	eq	3.1.14
nystudio107/craft-seomatic	eq	3.1.47
nystudio107/craft-seomatic	eq	3.3.3
nystudio107/craft-seomatic	eq	3.3.35
nystudio107/craft-seomatic	eq	3.0.25
nystudio107/craft-seomatic	eq	3.1.3