CVE-2020-9757
published 2020-03-04CVE-2020-9757: The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.43%
99.4th percentile
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | craft_cms | < 3.3.0 | 3.3.0 |
| nystudio107 | craft-seomatic | >= 0 < 3.3.0 | 3.3.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit requests target the SEOmatic metacontainers controller endpoints with a Twig SSTI payload in the `uri` parameter. A vulnerable server will evaluate the expression and return the computed result (228*98=22344) in the response body alongside 'MetaLinkContainer' and 'canonical'. ↗
- →Shodan fingerprinting queries for exposed Craft CMS instances: search for cpe:"cpe:2.3:a:craftcms:craft_cms" or http.html:craftcms or favicon hash -47932290. ↗
- →The SSTI payload uses Twig template syntax (double curly braces with a multiplication expression) delivered via the `uri` GET parameter to the SEOmatic meta-container endpoints. ↗
- ·Two distinct vulnerable endpoints exist; both should be tested/monitored as the exploit path may vary. ↗
- ·The vulnerability affects SEOmatic component versions before 3.3.0 for Craft CMS; instances running 3.3.0 or later are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SEOmatic for CraftCMS allows Server-Side Template Injection
ghsa·2022-05-24
CVE-2020-9757 [CRITICAL] CWE-74 SEOmatic for CraftCMS allows Server-Side Template Injection
SEOmatic for CraftCMS allows Server-Side Template Injection
The Seomatic component before 3.2.46 for Craft CMS allows Server-Side Template Injection and information disclosure via malformed data to the metacontainers controller.
OSV
SEOmatic for CraftCMS allows Server-Side Template Injection
osv·2022-05-24
CVE-2020-9757 [CRITICAL] SEOmatic for CraftCMS allows Server-Side Template Injection
SEOmatic for CraftCMS allows Server-Side Template Injection
The Seomatic component before 3.2.46 for Craft CMS allows Server-Side Template Injection and information disclosure via malformed data to the metacontainers controller.
VulnCheck
craftcms Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-9757 [CRITICAL] craftcms Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
craftcms Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
Affected: craftcms Craft CMS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
No detection rules found.
Nuclei
Craft CMS < 3.3.0 - Server-Side Template Injection
nuclei·CVSS 9.8
CVE-2020-9757 [CRITICAL] Craft CMS < 3.3.0 - Server-Side Template Injection
Craft CMS < 3.3.0 - Server-Side Template Injection
Craft CMS before 3.3.0 is susceptible to server-side template injection via the SEOmatic component that could lead to remote code execution via malformed data submitted to the metacontainers controller.
Template:
id: CVE-2020-9757
info:
name: Craft CMS < 3.3.0 - Server-Side Template Injection
author: dwisiswant0
severity: critical
description: Craft CMS before 3.3.0 is susceptible to server-side template injection via the SEOmatic component that could lead to remote code execution via malformed data submitted to the metacontainers controller.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the server.
remediation: |
Upgrade Craft CMS to version 3.3.0 or higher to mitigate thi
No writeups or analysis indexed.
https://github.com/giany/CVE/blob/master/CVE-2020-9757.txthttps://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.mdhttps://github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79bhttps://github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0fhttps://github.com/giany/CVE/blob/master/CVE-2020-9757.txthttps://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.mdhttps://github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79bhttps://github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0f
2020-03-04
Published
Exploited in the wild