cbcvebase.
CVE-2018-14716
published 2018-08-06

CVE-2018-14716: A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
33.03%
98.1th percentile
A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.

Affected

2 ranges
VendorProductVersion rangeFixed in
nystudio107craft-seomatic>= 0 < 3.1.43.1.4
nystudio107seomatic< 3.1.43.1.4

Detection & IOCsextracted from sources · hover to see the quote

url/db-password:%20%7b%25%20set%20dummy%20=%20craft.request.getUserAgent()|slice(0,8)%25%7d%7b%25%20set%20dummy2%20=%20craft.request.getUserAgent()|slice(9,2)%25%7d%7b%7bcraft.config.get(dummy,dummy2)%7d%7d
commandcraft.request.getUserAgent()|slice(0,8)
commandcraft.config.get(dummy,dummy2)
  • Detect SSTI payloads in URI path: look for URL-encoded Twig template delimiters (%7b%25, %25%7d, %7b%7b, %7d%7d) in HTTP request paths, especially combined with 'craft.' method calls.
  • Monitor HTTP response Link headers for unexpected canonicalUrl values that contain Twig-rendered output, which may indicate successful SSTI exploitation via the SEOmatic plugin.
  • Correlate 404 responses containing a Link: rel='canonical' header with suspicious URI patterns containing Twig syntax to identify successful or attempted exploitation.
  • ·The SSTI is only reachable on requests that do NOT match any CMS elements (i.e., result in a 404). Detections scoped only to successful (2xx) responses will miss exploitation attempts.
  • ·The vulnerability affects SEOmatic plugin versions before 3.1.4 for Craft CMS. Installations running 3.1.4 or later are patched and should not be vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.