cbcvebase.
CVE-2021-41749
published 2022-06-12

CVE-2021-41749: In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.25%
96.7th percentile
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
nystudio107craft-seomatic>= 0 < 3.4.113.4.11
nystudio107seomatic<= 3.4.11

Detection & IOCsextracted from sources · hover to see the quote

otherX-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}}
commandX-Forwarded-Host: xxx{{['cat /etc/passwd']|filter('system')}}bbb
otherroot:.*:0:0:
  • Exploit is delivered via the X-Forwarded-Host HTTP header containing Twig template injection payloads (e.g., arithmetic expressions or filter('system') calls); monitor all inbound requests to Craft CMS instances for X-Forwarded-Host values containing Twig syntax characters {{ and }}.
  • A second-stage RCE payload uses Twig's filter('system') to execute OS commands; detect X-Forwarded-Host headers matching the pattern: xxx{{[...]|filter('system')}}bbb.
  • Successful exploitation can be confirmed by the presence of 'root:.*:0:0:' (passwd file content) in the HTTP response body; alert on responses from Craft CMS servers containing this pattern.
  • Shodan fingerprinting queries for exposed targets: search for 'X-Powered-By: Craft CMS' combined with HTML containing 'SEOmatic', or the header 'x-powered-by: craft cms'.
  • The attack requires no authentication (PR:N, UI:N); any unauthenticated GET request with a malicious X-Forwarded-Host header to a Craft CMS endpoint running SEOmatic ≤ 3.4.11 is sufficient for exploitation.
  • ·The SSTI injection point is specifically the X-Forwarded-Host HTTP header; the vulnerability only affects SEOmatic plugin versions up to and including 3.4.11 for Craft CMS 3.
  • ·The Nuclei template uses stop-at-first-match and two sequential requests; the first probes for arithmetic SSTI evaluation, the second attempts direct RCE via system command execution — detection logic must account for both variants.
  • ·Redirects are followed during exploitation (up to 2 hops); WAF or proxy rules blocking X-Forwarded-Host injection must also inspect redirected responses.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.