5 matches found
CVE-2021-41749
The CVE-2021-41749 entry affects the SEOmatic plugin for Craft CMS 3 up to version 3.4.11. The Nuclei template documents an unauthenticated Server-Side Template Injection (SSTI) vulnerability that allows an attacker to execute arbitrary Twig templates and system commands via the X-Forwarded-Host ...
CVE-2021-44618
SSTI in Nystudio107 Seomatic 3.4.12 (src/helpers/UrlHelper.php via Host header). CVSSv3.1: 9.8 (CRITICAL), network attack, no user interaction. Impact: confidentiality, integrity, availability HIGH. Exploitation details and fix version are not provided in connected documents; remediation steps no...
CVE-2021-41750
The CVE-2021-41750 entry corresponds to a cross-site scripting (XSS) vulnerability in the SEOmatic plugin 3.4.10 for Craft CMS 3. The issue arises from a flaw in the handling of a GET request to /index.php?action=seomatic/file/seo-file-link, where the url parameter (base64-encoded URL) and fileNa...
CVE-2018-14716
CVE-2018-14716 affects the SEOmatic plugin for Craft CMS (before 3.1.4). A Server Side Template Injection (SSTI) occurs because requests that don’t match any elements cause an incorrect canonicalUrl, enabling execution of Twig code. Documented exploits exist (exploit-db PoC) and public advisories...
CVE-2020-12790
The CVE-2020-12790 entry concerns the SEOmatic plugin for Craft CMS before version 3.2.49. The root cause is improper sanitization in helpers/DynamicMeta.php for URL handling, which can allow Server-Side Template Injection and credentials disclosure via a crafted Twig template after a semicolon. ...