CVE-2018-14716: Injection Vulnerability

August 6, 2018 (updated December 3, 2019)

A Server Side Template Injection (SSTI) was discovered in the SEOmatic plug for Craft CMS, because requests that don’t match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.

References

github.com/nystudio107/craft-seomatic/releases/tag/3.1.4
nvd.nist.gov/vuln/detail/CVE-2018-14716
twitter.com/nystudio107/status/1021847835418009605
twitter.com/nystudio107/status/1021855169515057152
www.exploit-db.com/exploits/45108/

Code Behaviors & Features

Detect and mitigate CVE-2018-14716 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →