Server-Side Template Injection in SEOmatic for Craft CMS
CVE-2020-9757

9.8CRITICAL

Key Information:

Vendor: Craftcms
Status: Craft Cms
Vendor: CVE Published:; 4 March 2020

What is CVE-2020-9757?

The SEOmatic component for Craft CMS, prior to version 3.3.0, exhibits a vulnerability that allows an attacker to execute Server-Side Template Injection (SSTI) through the exploitation of malformed data sent to the metacontainers controller. This flaw can potentially lead to Remote Code Execution, compromising the integrity and security of affected systems. Users are strongly recommended to upgrade to the latest version to mitigate this risk.

References

https://github.com/nystudio107/craft-seomatic/blob/v3/CHA...

x_refsource_MISC

https://github.com/giany/CVE/blob/master/CVE-2020-9757.txt

x_refsource_MISC

https://github.com/nystudio107/craft-seomatic/commit/65ab...

x_refsource_CONFIRM

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 4, 2020
Vulnerability Reserved
Mar 2, 2020

Craftcms

What is CVE-2020-9757?

References

EPSS Score

CVSS V3.1

Timeline