CVE-2020-9757: 
PHP vulnerability analysis and mitigation

The SEOmatic component before version 3.3.0 for Craft CMS was discovered to contain a Server-Side Template Injection (SSTI) vulnerability that could lead to Remote Code Execution (RCE). The vulnerability was identified in March 2020 and tracked as CVE-2020-9757. The issue specifically affects the metacontainers controller, where malformed data input could be exploited (NVD, CVE).

The vulnerability received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The attack vector is network-accessible, requires low complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability. The vulnerability exists in the metacontainers controller and can be exploited through malformed URI parameters, allowing template injection that leads to remote code execution (NVD, Exploit).

The successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. The vulnerability can be exploited to disclose sensitive information, inject malicious code, and gain unauthorized control over the affected CraftCMS installation (FortiGuard).

The vulnerability was addressed in SEOmatic version 3.3.0. Users are strongly advised to upgrade to this version or later to mitigate the risk. The fix specifically addresses the SSTI vulnerability in the metacontainers controller that could lead to information disclosure and remote code execution (Changelog, Patch).