Synopsis: Server-Side Template Injection in SEOmatic plugin for Craft CMS 3.x Product: SEOmatic plugin for Craft CMS 3.x Version: up to 3.2.48 Url: https://github.com/nystudio107/craft-seomatic Author: Paweł Hałdrzyński, Daniel Kalinowski from ISEC.PL Issue: ====== Leaking sensitive data from the application (including database credentials) through Server Side Template Injection vulnerability. Details: ======== Due to lack of sanitization in /helpers/DynamicMeta.php file, an attacker may inject a Twig template through a URL-part (after a semicolon). This Twig template will be rendered in the server response - provoking a Server-Side Template Injection vulnerability. By leveraging the Craft CMS build-in methods attacker may read information from the configuration files. Injection of Twig template expression tags with a following value craft.config.get('password','db'),craft.config.get('user','db') results in database credentials disclosure. Proof of Concept: ======== https://isec.pl/en/vulnerabilities/isec-0028-seomatic-ssti-23032020.mp4 Timeline: =========== Mar 23, 2020 - Vendor informed about the issue Mar 23, 2020 - Vendor pushed fix Apr 01, 2020 - Request for future communication despite the vulnerability and public disclosure Apr 28, 2020 - Vendor stopped responding May 11, 2020 - Public disclosure