VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 12, 2022· Updated Aug 4, 2024

CVE-2021-41750

CVE-2021-41750

Description

CVE-2021-41750 is an XSS vulnerability in the SEOmatic plugin for Craft CMS, allowing arbitrary script injection via crafted URL parameters.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2021-41750 is an XSS vulnerability in the SEOmatic plugin for Craft CMS, allowing arbitrary script injection via crafted URL parameters.

The SEOmatic plugin version 3.4.10 for Craft CMS 3 contains a reflected cross-site scripting (XSS) vulnerability in the /index.php?action=seomatic/file/seo-file-link endpoint. The flaw exists because the plugin does not properly validate the url and fileName GET parameters. An attacker can supply a base64-encoded URL of a malicious page or file along with an arbitrary filename whose extension determines the content type rendered in the victim's browser [1].

To exploit this, an attacker sends a crafted request to a vulnerable site, e.g., /index.php?action=seomatic/file/seo-file-link?url=&fileName=malicious.html. The plugin then streams the content from the attacker-controlled URL and serves it with the content type inferred from the filename extension. No authentication is required; the attack only needs the victim to click a link or visit a page that triggers the request [1].

Successful exploitation allows the attacker to inject arbitrary HTML or JavaScript into the user's browser in the context of the vulnerable site. This can lead to session hijacking, defacement, or theft of sensitive information. The SEOmatic plugin is widely used for search engine optimization on Craft CMS sites, making this a significant vector for phishing or data theft [2].

The vulnerability was patched in a subsequent commit that adds validation of the file extension against the Craft CMS allowedFileExtensions configuration list. The fix ensures that only permitted file types are streamed, blocking attempts to serve arbitrary content types. Users should update SEOmatic to version 3.4.11 or later [2][4].

References
  1. NVD - CVE-2021-41750
  2. craft-seomatic/CHANGELOG.md at develop · nystudio107/craft-seomatic
  3. Ensure that only files with the extensions listed in `allowedFileExte… · nystudio107/craft-seomatic@5f2cdc7

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nystudio107/craft-seomaticPackagist
< 3.4.113.4.11

Affected products

2

Patches

2
4e46b792ce97

Disallow SVGs

https://github.com/nystudio107/craft-seomaticAndrew WelchSep 24, 2021via ghsa
commit
1 file changed · +1 1
  • src/controllers/FileController.php+1 1 modified
    @@ -96,7 +96,7 @@ public function actionSeoFileLink($url, $robots = '', $canonical = '', $inline =
             if (($ext = pathinfo($fileName, PATHINFO_EXTENSION)) !== '') {
                 $ext = strtolower($ext);
             }
-            if ($ext === '' || !in_array($ext, $allowedExtensions, true)) {
+            if ($ext === '' || $ext === 'svg' || !in_array($ext, $allowedExtensions, true)) {
                 throw new ServerErrorHttpException(Craft::t('seomatic', 'File format not allowed.'));
             }
             // Send the file as a stream, so it can exist anywhere
5f2cdc7c39e0

Ensure that only files with the extensions listed in `allowedFileExtensions` General Config setting can be used with the SEO File Link controller

https://github.com/nystudio107/craft-seomaticAndrew WelchSep 24, 2021via ghsa
commit
1 file changed · +12 0
  • src/controllers/FileController.php+12 0 modified
    @@ -15,12 +15,15 @@
 use nystudio107\seomatic\Seomatic;
 
 use Craft;
+use craft\elements\Asset;
 use craft\helpers\FileHelper;
+use craft\helpers\Assets as AssetsHelper;
 use craft\web\Controller;
 
 use yii\web\NotFoundHttpException;
 use yii\web\HttpException;
 use yii\web\Response;
+use yii\web\ServerErrorHttpException;
 
 /**
  * @author    nystudio107
@@ -87,6 +90,15 @@ public function actionSeoFileLink($url, $robots = '', $canonical = '', $inline =
                 $headerValue = '<'.$canonical.'>; rel="canonical"';
                 $response->headers->add('Link', $headerValue);
             }
+            // Ensure the file type is allowed
+            // ref: https://craftcms.com/docs/3.x/config/config-settings.html#allowedfileextensions
+            $allowedExtensions = Craft::$app->getConfig()->getGeneral()->allowedFileExtensions;
+            if (($ext = pathinfo($fileName, PATHINFO_EXTENSION)) !== '') {
+                $ext = strtolower($ext);
+            }
+            if ($ext === '' || !in_array($ext, $allowedExtensions, true)) {
+                throw new ServerErrorHttpException(Craft::t('seomatic', 'File format not allowed.'));
+            }
             // Send the file as a stream, so it can exist anywhere
             $response->sendContentAsFile(
                 $contents,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.