CVE-2021-41749
published 2022-06-12CVE-2021-41749: In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.25%
96.7th percentile
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nystudio107 | craft-seomatic | >= 0 < 3.4.11 | 3.4.11 |
| nystudio107 | seomatic | <= 3.4.11 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherX-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}}
commandX-Forwarded-Host: xxx{{['cat /etc/passwd']|filter('system')}}bbb
otherroot:.*:0:0:
- →Exploit is delivered via the X-Forwarded-Host HTTP header containing Twig template injection payloads (e.g., arithmetic expressions or filter('system') calls); monitor all inbound requests to Craft CMS instances for X-Forwarded-Host values containing Twig syntax characters {{ and }}.
- →A second-stage RCE payload uses Twig's filter('system') to execute OS commands; detect X-Forwarded-Host headers matching the pattern: xxx{{[...]|filter('system')}}bbb.
- →Successful exploitation can be confirmed by the presence of 'root:.*:0:0:' (passwd file content) in the HTTP response body; alert on responses from Craft CMS servers containing this pattern.
- →Shodan fingerprinting queries for exposed targets: search for 'X-Powered-By: Craft CMS' combined with HTML containing 'SEOmatic', or the header 'x-powered-by: craft cms'.
- →The attack requires no authentication (PR:N, UI:N); any unauthenticated GET request with a malicious X-Forwarded-Host header to a Craft CMS endpoint running SEOmatic ≤ 3.4.11 is sufficient for exploitation. ↗
- ·The SSTI injection point is specifically the X-Forwarded-Host HTTP header; the vulnerability only affects SEOmatic plugin versions up to and including 3.4.11 for Craft CMS 3. ↗
- ·The Nuclei template uses stop-at-first-match and two sequential requests; the first probes for arithmetic SSTI evaluation, the second attempts direct RCE via system command execution — detection logic must account for both variants.
- ·Redirects are followed during exploitation (up to 2 hops); WAF or proxy rules blocking X-Forwarded-Host injection must also inspect redirected responses.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Code Injection in SEOmatic
osv·2022-06-13
CVE-2021-41749 [CRITICAL] Code Injection in SEOmatic
Code Injection in SEOmatic
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.
GHSA
Code Injection in SEOmatic
ghsa·2022-06-13
CVE-2021-41749 [CRITICAL] CWE-94 Code Injection in SEOmatic
Code Injection in SEOmatic
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.
No detection rules found.
Nuclei
CraftCMS SEOmatic - Server-Side Template Injection
nuclei·CVSS 9.8
CVE-2021-41749 [CRITICAL] CraftCMS SEOmatic - Server-Side Template Injection
CraftCMS SEOmatic - Server-Side Template Injection
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.
Template:
id: CVE-2021-41749
info:
name: CraftCMS SEOmatic - Server-Side Template Injection
author: iamnoooob,ritikchaddha
severity: critical
description: |
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.
impact: |
Unauthenticated attackers can exploit SSTI via X-Forwarded-Host header to execute arbitrary Twig templates and system commands, achieving complete server compromise.
remediation: |
Upgrade to CraftCMS SEOmatic version
No writeups or analysis indexed.
https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.mdhttps://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7dhttps://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.mdhttps://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d
2022-06-12
Published