CVE-2020-12790

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-12790

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12790.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-12790

Aliases

GHSA-23q7-59jj-2pj4

Published

2020-05-11T19:15:11.327Z

Modified

2026-04-10T04:22:07.222221Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In the SEOmatic plugin before 3.2.49 for Craft CMS, helpers/DynamicMeta.php does not properly sanitize the URL. This leads to Server-Side Template Injection and credentials disclosure via a crafted Twig template after a semicolon.

References

Affected packages

Git / github.com/nystudio107/craft-seomatic

Affected ranges

Type

GIT

Repo

https://github.com/nystudio107/craft-seomatic

Events

Introduced

Fixed

82f4a25b28fd622393da6592dc9e5ccee7fc5be3

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.2.49"
        }
    ]
}

Affected versions

3.*

3.0.0-beta.1

3.0.23

3.1.50

3.2.0

3.2.1

3.2.10

3.2.11

3.2.12

3.2.13

3.2.14

3.2.15

3.2.16

3.2.17

3.2.18

3.2.19

3.2.2

3.2.20

3.2.21

3.2.22

3.2.23

3.2.24

3.2.25

3.2.26

3.2.27

3.2.28

3.2.29

3.2.3

3.2.30

3.2.31

3.2.32

3.2.33

3.2.34

3.2.35

3.2.36

3.2.37

3.2.38

3.2.39

3.2.4

3.2.41

3.2.42

3.2.43

3.2.44

3.2.45

3.2.46

3.2.47

3.2.48

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12790.json"