cbcvebase.
CVE-2020-9757
published 2020-03-04

CVE-2020-9757: The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.43%
99.4th percentile
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.

Affected

2 ranges
VendorProductVersion rangeFixed in
craftcmscraft_cms< 3.3.03.3.0
nystudio107craft-seomatic>= 0 < 3.3.03.3.0

Detection & IOCsextracted from sources · hover to see the quote

url/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}
url/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}
  • Exploit requests target the SEOmatic metacontainers controller endpoints with a Twig SSTI payload in the `uri` parameter. A vulnerable server will evaluate the expression and return the computed result (228*98=22344) in the response body alongside 'MetaLinkContainer' and 'canonical'.
  • Shodan fingerprinting queries for exposed Craft CMS instances: search for cpe:"cpe:2.3:a:craftcms:craft_cms" or http.html:craftcms or favicon hash -47932290.
  • The SSTI payload uses Twig template syntax (double curly braces with a multiplication expression) delivered via the `uri` GET parameter to the SEOmatic meta-container endpoints.
  • ·Two distinct vulnerable endpoints exist; both should be tested/monitored as the exploit path may vary.
  • ·The vulnerability affects SEOmatic component versions before 3.3.0 for Craft CMS; instances running 3.3.0 or later are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.