Miggo Logo

CVE-2021-31779: Server-Side Request Forgery in yoast_seo

6.4

CVSS Score
3.1

Basic Information

EPSS Score
0.3596%
Published
5/21/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
yoast-seo-for-typo3/yoast_seocomposer< 7.2.17.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description indicates improper URL validation in SEO analysis features. SSRF typically occurs when user-controlled URLs are fetched without proper restrictions. The extension's URL analysis functionality would logically involve a URL fetching method, and the patch (7.2.1) likely added domain validation here. The TYPO3 advisory specifically mentions the failure to restrict analyzed URLs to managed domains, strongly suggesting the URL fetching function was vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** yo*st_s*o (*k* Yo*st S*O) *xt*nsion ***or* *.*.* *or TYPO* *llows SSR* vi* * ***k*n* us*r ***ount.

Reasoning

T** vuln*r**ility **s*ription in*i**t*s improp*r URL v*li**tion in S*O *n*lysis ***tur*s. SSR* typi**lly o**urs w**n us*r-*ontroll** URLs *r* **t**** wit*out prop*r r*stri*tions. T** *xt*nsion's URL *n*lysis *un*tion*lity woul* lo*i**lly involv* * UR