[Japanese]
|
JVNDB-2009-000020
|
Movable Type cross-site scripting vulnerability
|
Movable Type contains a cross-site scripting vulnerability.
Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability.
This vulnerability is a different vulnerability than past reports on JVN.
This vulnerability has been fixed and an updated version (Movable Type 4.25) was released on March 18, 2009.
Masashi Shiraishi reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
The following are also affected by this vulnerability when "global templates" are not initialized.
* Movable Type 4.25 (updated from Movable Type 4.24 (includes Professional and Community Packs))
* Movable Type 4.25 (updated from Movable Type 4.24 Enterprise)
For more information, refer to the vendor's website.
|
CVSS V2 Severity: Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
Six Apart, Ltd.
- Movable Type 4.24 (includes Professional and Community Packs)
- Movable Type (commercial) 4.24 (includes Professional Pack)
- Movable Type (enterprise) 4.24
- Movable Type 4.24 (Open Source)
- Movable Type 4.25 (updated from Movable Type 4.24 (includes Professional and Community Packs))
- Movable Type 4.25 (updated from Movable Type 4.24 Enterprise)
|
|
An arbitrary script may be executed on the user's web browser.
|
[Update the Software]
Update to the latest version according to the information provided by the vendor.
Note that the initialization of "global templates" is required for some packages.
For more information, refer to the vendor's website.
|
Six Apart, Ltd.
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2009-2480
|
- JVN : JVN#97248625
- National Vulnerability Database (NVD) : CVE-2009-2480
- Secunia Advisory : SA35534
- SecurityFocus : 35471
- ISS X-Force Database : 51329
- VUPEN Security : VUPEN/ADV-2009-1668
|
- [2009/04/28]
Web page published
[2009/07/29]
Vendor Information : Added Six Apart (MT 4.261: A Small Patch Release).
|