CVE-2020-9757

CRITICAL EXPLOITED NUCLEI

Craft CMS SEOmatic < 3.3.0 - Server-Side Template Injection via Metacontainers Controller

Title source: llm

Exploitation Summary

CVE-2020-9757 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.

Nuclei Templates (1)

Craft CMS < 3.3.0 - Server-Side Template Injection

CRITICALby dwisiswant0

Shodan: cpe:"cpe:2.3:a:craftcms:craft_cms" || http.html:craftcms || http.favicon.hash:-47932290

FOFA: icon_hash=-47932290 || body=craftcms

References (4)

Core 4

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/nystudio107/craft-seomatic/blob/v3/CHANGELOG.md

View Writeup ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://github.com/giany/CVE/blob/master/CVE-2020-9757.txt

View Exploit ZIP pw:eip

Patch, Third Party Advisory x_refsource_confirm

https://github.com/nystudio107/craft-seomatic/commit/65ab659cb6c914c7ad671af1e417c0da2431f79b

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_confirm

https://github.com/nystudio107/craft-seomatic/commit/a1c2cad7e126132d2442ec8ec8e9ab43df02cc0f

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.7343

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-09-19

CWE

CWE-74

Status published

Products (2)

craftcms/craft_cms < 3.3.0

nystudio107/craft-seomatic 0 - 3.3.0Packagist

Published Mar 04, 2020

Tracked Since Feb 18, 2026