CVE-2018-14716
published 2018-08-06CVE-2018-14716: A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
33.03%
98.1th percentile
A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nystudio107 | craft-seomatic | >= 0 < 3.1.4 | 3.1.4 |
| nystudio107 | seomatic | < 3.1.4 | 3.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
url/db-password:%20%7b%25%20set%20dummy%20=%20craft.request.getUserAgent()|slice(0,8)%25%7d%7b%25%20set%20dummy2%20=%20craft.request.getUserAgent()|slice(9,2)%25%7d%7b%7bcraft.config.get(dummy,dummy2)%7d%7d↗
- →Detect SSTI payloads in URI path: look for URL-encoded Twig template delimiters (%7b%25, %25%7d, %7b%7b, %7d%7d) in HTTP request paths, especially combined with 'craft.' method calls. ↗
- →Monitor HTTP response Link headers for unexpected canonicalUrl values that contain Twig-rendered output, which may indicate successful SSTI exploitation via the SEOmatic plugin. ↗
- →Correlate 404 responses containing a Link: rel='canonical' header with suspicious URI patterns containing Twig syntax to identify successful or attempted exploitation. ↗
- ·The SSTI is only reachable on requests that do NOT match any CMS elements (i.e., result in a 404). Detections scoped only to successful (2xx) responses will miss exploitation attempts. ↗
- ·The vulnerability affects SEOmatic plugin versions before 3.1.4 for Craft CMS. Installations running 3.1.4 or later are patched and should not be vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SEOmatic plugin for Craft CMS SSTI Vulnerability
osv·2022-05-13
CVE-2018-14716 [HIGH] SEOmatic plugin for Craft CMS SSTI Vulnerability
SEOmatic plugin for Craft CMS SSTI Vulnerability
A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.
GHSA
SEOmatic plugin for Craft CMS SSTI Vulnerability
ghsa·2022-05-13
CVE-2018-14716 [HIGH] CWE-94 SEOmatic plugin for Craft CMS SSTI Vulnerability
SEOmatic plugin for Craft CMS SSTI Vulnerability
A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.
No detection rules found.
No writeups or analysis indexed.
http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/https://github.com/nystudio107/craft-seomatic/commit/1e7d1d084ac3a89e7ec70620f2749110508d1ce1https://github.com/nystudio107/craft-seomatic/releases/tag/3.1.4https://twitter.com/nystudio107/status/1021847835418009605https://twitter.com/nystudio107/status/1021855169515057152https://www.exploit-db.com/exploits/45108/http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/https://github.com/nystudio107/craft-seomatic/commit/1e7d1d084ac3a89e7ec70620f2749110508d1ce1https://github.com/nystudio107/craft-seomatic/releases/tag/3.1.4https://twitter.com/nystudio107/status/1021847835418009605https://twitter.com/nystudio107/status/1021855169515057152https://www.exploit-db.com/exploits/45108/
2018-08-06
Published