A cross-site scripting (XSS) vulnerability in the SEOmatic plugin 3.4.10 for Craft CMS 3 allows remote attackers to inject arbitrary web script via a GET to /index.php?action=seomatic/file/seo-file-link with url parameter containing the base64 encoded URL of a malicious web page / file and fileName parameter containing an arbitrary filename with the intended content-type to be rendered in the user's browser as the extension.
References
| Link | Resource |
|---|---|
| https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md | Release Notes Third Party Advisory |
| https://github.com/nystudio107/craft-seomatic/commit/4e46b792ce973ac0c652fb330055f41aca1981c8 | Patch Third Party Advisory |
| https://github.com/nystudio107/craft-seomatic/commit/5f2cdc7c39e0a4bfb60d2f84131508f0a87b2873 | Patch Third Party Advisory |
Configurations
History
17 Jun 2022, 19:03
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md - Release Notes, Third Party Advisory | |
| References | (MISC) https://github.com/nystudio107/craft-seomatic/commit/5f2cdc7c39e0a4bfb60d2f84131508f0a87b2873 - Patch, Third Party Advisory | |
| References | (MISC) https://github.com/nystudio107/craft-seomatic/commit/4e46b792ce973ac0c652fb330055f41aca1981c8 - Patch, Third Party Advisory | |
| CPE | cpe:2.3:a:nystudio107:seomatic:3.4.10:*:*:*:*:craft_cms:*:* | |
| CWE | CWE-79 | |
| CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.1 |
12 Jun 2022, 12:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-06-12 12:15
Updated : 2024-02-04 22:29
NVD link : CVE-2021-41750
Mitre link : CVE-2021-41750
CVE.ORG link : CVE-2021-41750
JSON object : View
Products Affected
nystudio107
- seomatic
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')