7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-12790

GHSA ID

GHSA-23q7-59jj-2pj4

EPSS Score

0.63102%

CWE

CWE-74

Published

5/24/2022

Updated

8/21/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-12790

CVE-2020-12790:
SEOmatic for CraftCMS allows Server-Side Template Injection

In the SEOmatic plugin before 3.2.49 for Craft CMS, helpers/DynamicMeta.php does not properly sanitize the URL. This leads to Server-Side Template Injection and credentials disclosure via a crafted Twig template after a semicolon.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-12790

GHSA ID

GHSA-23q7-59jj-2pj4

EPSS Score

0.63102%

CWE

CWE-74

Published

5/24/2022

Updated

8/21/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nystudio107/craft-seomatic	composer	< 3.2.49	3.2.49

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper URL sanitization in DynamicMeta.php's sanitizeUrl method. The pre-patch code only used html_entity_decode and strip_tags, but lacked urldecode. This allowed attackers to supply URL-encoded Twig payloads (e.g., %7B%7Bmalicious_code%7D%7D) that would survive sanitization and be parsed as valid templates. The critical fix in 3.2.49 added urldecode() before sanitization, confirming this as the vulnerable function. The CWE-74 classification and advisory details about URL sanitization flaws further support this conclusion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In t** S*Om*ti* plu*in ***or* *.*.** *or *r**t *MS, **lp*rs/*yn*mi*M*t*.p*p *o*s not prop*rly s*nitiz* t** URL. T*is l***s to S*rv*r-Si** T*mpl*t* Inj**tion *n* *r***nti*ls *is*losur* vi* * *r**t** Twi* t*mpl*t* **t*r * s*mi*olon.

Reasoning

T** vuln*r**ility st*ms *rom improp*r URL s*nitiz*tion in *yn*mi*M*t*.p*p's s*nitiz*Url m*t*o*. T** pr*-p*t** *o** only us** *tml_*ntity_***o** *n* strip_t**s, *ut l**k** url***o**. T*is *llow** *tt**k*rs to supply URL-*n*o*** Twi* p*ylo**s (*.*., %*

7.5

Basic Information

Concerned about an active attack path?

CVE-2020-12790: SEOmatic for CraftCMS allows Server-Side Template Injection

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-12790:
SEOmatic for CraftCMS allows Server-Side Template Injection

Vulnerability Intelligence
Miggo AI