[Japanese]

JVNDB-2011-000031

Movable Type vulnerable to cross-site scripting

Overview

Movable Type contains a cross-site scripting vulnerability.

Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability due to an issue in the management screen.

This vulnerability is different than the previous vulnerabilities disclosed on JVN.

Takeshi Terada of Mitsui Bussan Secure Directions reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Six Apart, Ltd.
  • Movable Type 4.21 and earlier
  • Movable Type Open Source 4.21 and earlier
  • Movable Type Community Solution 4.21 and earlier
  • Movable Type Enterprise 4.21 and earlier

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-5845
References

  1. JVN : JVN#45658190
  2. National Vulnerability Database (NVD) : CVE-2008-5845
Revision History

[2011/05/25]
  Web page published