CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41750
https://notcve.org/view.php?id=CVE-2021-41750
12 Jun 2022 — A cross-site scripting (XSS) vulnerability in the SEOmatic plugin 3.4.10 for Craft CMS 3 allows remote attackers to inject arbitrary web script via a GET to /index.php?action=seomatic/file/seo-file-link with url parameter containing the base64 encoded URL of a malicious web page / file and fileName parameter containing an arbitrary filename with the intended content-type to be rendered in the user's browser as the extension. Una vulnerabilidad de tipo cross-site scripting (XSS) en el plugin SEOmatic 3.4.10 ... • https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 32%CPEs: 1EXPL: 0CVE-2021-41749
https://notcve.org/view.php?id=CVE-2021-41749
12 Jun 2022 — In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution. En el plugin SEOmatic versiones hasta 3.4.11 para Craft CMS 3, es posible que atacantes no autenticados lleven a cabo un ataque de tipo Server-Side Template Injection, permitiendo una ejecución de código remota • https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44618
https://notcve.org/view.php?id=CVE-2021-44618
11 Mar 2022 — A Server-side Template Injection (SSTI) vulnerability exists in Nystudio107 Seomatic 3.4.12 in src/helpers/UrlHelper.php via the host header. Se presenta una vulnerabilidad de Inyección de Plantillas del Lado del Servidor (SSTI) en Nystudio107 Seomatic versión 3.4.12, en el archivo src/helpers/UrlHelper.php por medio del encabezado host • https://github.com/nystudio107/craft-seomatic/commit/0c5c0c0e0cb61000d12ec55ebf174745a5bf6469 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12790
https://notcve.org/view.php?id=CVE-2020-12790
11 May 2020 — In the SEOmatic plugin before 3.2.49 for Craft CMS, helpers/DynamicMeta.php does not properly sanitize the URL. This leads to Server-Side Template Injection and credentials disclosure via a crafted Twig template after a semicolon. En el plugin SEOmatic versiones anteriores a 3.2.49 para Craft CMS, el archivo helpers/DynamicMeta.php no sanea apropiadamente la URL. Esto conlleva a una Inyección de Plantilla del Lado del Servidor y a una divulgación de credenciales por medio de una plantilla Twig diseñada desp... • https://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.md#3249---20200324 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 2CVE-2018-14716 – Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection
https://notcve.org/view.php?id=CVE-2018-14716
06 Aug 2018 — A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code. Se ha descubierto una inyección SSTI (Server Side Template Injection) en el plugin SEOmatic en versiones anteriores a la 3.1.4 para Craft CMS, debido a que las peticiones que no coinciden con elementos generan erróneamente el canonicalUrl y podría conducir a la ejecución de códig... • https://www.exploit-db.com/exploits/45108 • CWE-94: Improper Control of Generation of Code ('Code Injection') •