CVE-2021-41749: Improper Control of Generation of Code ('Code Injection')

June 12, 2022 (updated June 17, 2022)

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

References

github.com/nystudio107/craft-seomatic/blob/develop/CHANGELOG.md
github.com/nystudio107/craft-seomatic/commit/3fee7d50147cdf3f999cfc1e04cbc3fb3d9f2f7d
nvd.nist.gov/vuln/detail/CVE-2021-41749

Code Behaviors & Features

Detect and mitigate CVE-2021-41749 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →