Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yM3E3LTU5amotMnBqNM4AAkqf
SEOmatic for CraftCMS allows Server-Side Template Injection
In the SEOmatic plugin before 3.2.49 for Craft CMS, helpers/DynamicMeta.php does not properly sanitize the URL. This leads to Server-Side Template Injection and credentials disclosure via a crafted Twig template after a semicolon.
Permalink: https://github.com/advisories/GHSA-23q7-59jj-2pj4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yM3E3LTU5amotMnBqNM4AAkqf
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-23q7-59jj-2pj4, CVE-2020-12790
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-12790
- https://github.com/nystudio107/craft-seomatic/commit/82f4a25b28fd622393da6592dc9e5ccee7fc5be3#diff-52fd042c50432133a00a8f840f4a6165
- https://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.md#3249---20200324
- https://github.com/nystudio107/craft-seomatic/releases/tag/3.2.49
- https://isec.pl/en/vulnerabilities/isec-0028-seomatic-ssti-23032020.txt
- https://github.com/nystudio107/craft-seomatic/commit/82f4a25b28fd622393da6592dc9e5ccee7fc5be3
- https://github.com/advisories/GHSA-23q7-59jj-2pj4
Blast Radius: 15.3
Affected Packages
packagist:nystudio107/craft-seomatic
Dependent packages: 42Dependent repositories: 109
Downloads: 1,175,469 total
Affected Version Ranges: < 3.2.49
Fixed in: 3.2.49
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.20, 3.0.22, 3.0.23, 3.0.24, 3.0.25, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.1.36, 3.1.37, 3.1.38, 3.1.39, 3.1.40, 3.1.41, 3.1.42, 3.1.43, 3.1.44, 3.1.45, 3.1.46, 3.1.47, 3.1.48, 3.1.49, 3.1.50, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.23, 3.2.24, 3.2.25, 3.2.26, 3.2.27, 3.2.28, 3.2.29, 3.2.30, 3.2.31, 3.2.32, 3.2.33, 3.2.34, 3.2.35, 3.2.36, 3.2.37, 3.2.38, 3.2.39, 3.2.41, 3.2.42, 3.2.43, 3.2.44, 3.2.45, 3.2.46, 3.2.47, 3.2.48
All unaffected versions: 3.2.49, 3.2.50, 3.2.51, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14, 3.3.15, 3.3.16, 3.3.17, 3.3.18, 3.3.19, 3.3.20, 3.3.21, 3.3.22, 3.3.23, 3.3.24, 3.3.25, 3.3.26, 3.3.27, 3.3.28, 3.3.29, 3.3.30, 3.3.31, 3.3.32, 3.3.33, 3.3.34, 3.3.35, 3.3.36, 3.3.37, 3.3.38, 3.3.39, 3.3.40, 3.3.41, 3.3.42, 3.3.43, 3.3.44, 3.3.45, 3.3.46, 3.3.47, 3.3.48, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.12, 3.4.13, 3.4.14, 3.4.15, 3.4.16, 3.4.17, 3.4.18, 3.4.19, 3.4.20, 3.4.21, 3.4.22, 3.4.23, 3.4.24, 3.4.25, 3.4.26, 3.4.27, 3.4.28, 3.4.29, 3.4.30, 3.4.31, 3.4.32, 3.4.33, 3.4.34, 3.4.35, 3.4.36, 3.4.37, 3.4.38, 3.4.39, 3.4.40, 3.4.41, 3.4.42, 3.4.43, 3.4.44, 3.4.45, 3.4.46, 3.4.47, 3.4.48, 3.4.49, 3.4.50, 3.4.51, 3.4.52, 3.4.53, 3.4.54, 3.4.55, 3.4.56, 3.4.57, 3.4.58, 3.4.59, 3.4.60, 3.4.61, 3.4.62, 3.4.63, 3.4.64, 3.4.65, 3.4.66, 3.4.67, 3.4.68, 3.4.69, 3.4.70, 3.4.71, 3.4.72, 3.4.73, 3.4.74, 3.4.75, 3.4.76, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.0.20, 4.0.21, 4.0.22, 4.0.23, 4.0.24, 4.0.25, 4.0.26, 4.0.27, 4.0.28, 4.0.29, 4.0.30, 4.0.31, 4.0.32, 4.0.33, 4.0.34, 4.0.35, 4.0.36, 4.0.37, 4.0.38, 4.0.39, 4.0.40, 4.0.41, 4.0.42, 4.0.43, 4.0.44, 4.0.45, 4.0.46, 4.0.47, 4.0.48, 5.0.1, 5.0.2