Server-side Template Injection in CraftCMS SEOmatic plugin by Nystudio107

Discovered by Jack Misiura on behalf of The Missing Link Security

Vulnerability Details

A Server-side Template Injection (SSTI) vulnerability in the CraftCMS Seomatic 3.4.11 and previous plugin by Nystudio107 allows injection of malicious server-side templates through manipulation of the request's host header. Successful exploitation of the issue may allow an unauthenticated attacker to execute arbitrary code on the web application's server.

Affected Versions

Discovered in 3.4.10

Fixed Versions

Fixed in 3.4.12

Latest News