CVE-2021-41750

Name of the Vulnerable Software and Affected Versions SEOmatic plugin version 3.4.10 for Craft CMS 3

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script via a GET to "/index.php?action=seomatic/file/seo-file-link" with url parameter containing the base64 encoded URL of a malicious web page or file and fileName parameter containing an arbitrary filename with the intended content-type to be rendered in the user's browser as the extension.

Recommendations For SEOmatic plugin version 3.4.10, consider disabling the "/index.php?action=seomatic/file/seo-file-link" endpoint until a patch is available. Restrict access to the url and fileName parameters in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.