nystudio107/seomatic is vulnerable to server side template injection (SSTI). The vulnerability is possible through sending requests that don’t match any elements, leading to the generation of incorrect canonicalUrl
, and execution of Twig code.
CPE | Name | Operator | Version |
---|---|---|---|
nystudio107/craft-seomatic | le | 3.1.3 |
ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/
github.com/nystudio107/craft-seomatic/commit/1e7d1d084ac3a89e7ec70620f2749110508d1ce1
github.com/nystudio107/craft-seomatic/releases/tag/3.1.4
twitter.com/nystudio107/status/1021847835418009605
twitter.com/nystudio107/status/1021855169515057152
www.exploit-db.com/exploits/45108/