[Japanese]

JVNDB-2012-000016

Movable Type vulnerable to cross-site scripting

Overview

Movable Type contains a cross-site scripting vulnerability.

mt-wizard.cgi and Movable Type templates contain a cross-site scripting vulnerability.
CVSS Severity (What is CVSS?)

Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products

Version 5.12, 5.06, 4.37, 4.292 and earlier of the products listed below are vulnerable.

Six Apart, Ltd.
  • Movable Type Open Source
  • Movable Type Enterprise
  • Movable Type Advanced
  • Movable Type (with Professional Pack, Community Pack)

For more information, refer to the information provided by the developer.
Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Update the software]
Update to the latest version of each product according to the information provided by the developer.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-0318
References

  1. JVN : JVN#49836527
  2. National Vulnerability Database (NVD) : CVE-2012-0318
Revision History

[2012/02/23]
  Web page was published