[Japanese]

JVNDB-2009-000020

Movable Type cross-site scripting vulnerability

Overview

Movable Type contains a cross-site scripting vulnerability.

Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability.
This vulnerability is a different vulnerability than past reports on JVN.

This vulnerability has been fixed and an updated version (Movable Type 4.25) was released on March 18, 2009.

Masashi Shiraishi reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.

The following are also affected by this vulnerability when "global templates" are not initialized.

* Movable Type 4.25 (updated from Movable Type 4.24 (includes Professional and Community Packs))
* Movable Type 4.25 (updated from Movable Type 4.24 Enterprise)

For more information, refer to the vendor's website.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Six Apart, Ltd.
  • Movable Type 4.24 (includes Professional and Community Packs)
  • Movable Type (commercial) 4.24 (includes Professional Pack)
  • Movable Type (enterprise) 4.24
  • Movable Type 4.24 (Open Source)
  • Movable Type 4.25 (updated from Movable Type 4.24 (includes Professional and Community Packs))
  • Movable Type 4.25 (updated from Movable Type 4.24 Enterprise)

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Update the Software]
Update to the latest version according to the information provided by the vendor.

Note that the initialization of "global templates" is required for some packages.
For more information, refer to the vendor's website.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-2480
References

  1. JVN : JVN#97248625
  2. National Vulnerability Database (NVD) : CVE-2009-2480
  3. Secunia Advisory : SA35534
  4. SecurityFocus : 35471
  5. ISS X-Force Database : 51329
  6. VUPEN Security : VUPEN/ADV-2009-1668
Revision History

  • [2009/04/28]
      Web page published
    [2009/07/29]
      Vendor Information : Added Six Apart (MT 4.261: A Small Patch Release).