Miggo Logo
Miggo Vulnerability Database
CVE-2021-41749

CVE-2021-41749: Code Injection in SEOmatic

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-41749
GHSA ID
GHSA-g7xr-v82w-qggq
EPSS Score
0.99318%
CWE
CWE-94
Published
6/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nystudio107/craft-seomaticcomposer< 3.4.113.4.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the order of operations in URL sanitization. The original implementation in safeCanonicalUrl() sanitized the URL before making it absolute via UrlHelper::absoluteUrlWithProtocol(), which could incorporate untrusted X-Forwarded-Host header values. By moving the sanitization step after the absolute URL generation in the patch, the developers confirmed that the vulnerability existed in how these two functions were ordered. The safeCanonicalUrl() method is the direct entry point for this attack vector as it handles canonical URL generation exposed to unauthenticated users.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In t** S*Om*ti* plu*in up to *.*.** *or *r**t *MS *, it is possi*l* *or un*ut**nti**t** *tt**k*rs to p*r*orm * S*rv*r-Si** T*mpl*t* Inj**tion, *llowin* *or r*mot* *o** *x**ution.

Reasoning

T** vuln*r**ility st*mm** *rom t** or**r o* op*r*tions in URL s*nitiz*tion. T** ori*in*l impl*m*nt*tion in `s*****noni**lUrl()` s*nitiz** t** URL ***or* m*kin* it **solut* vi* `Url**lp*r::**solut*UrlWit*Proto*ol()`, w*i** *oul* in*orpor*t* untrust**