|
[Japanese]
|
JVNDB-2023-000105
|
Movable Type vulnerable to cross-site scripting
|
|
Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability (CWE-79).
Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
Six Apart, Ltd.
- Movable Type 7 r.5405 and earlier (Movable Type 7 Series)
- Movable Type Advanced 7 r.5405 and earlier (Movable Type 7 Series)
- Movable Type Premium 1.58 and earlier
- Movable Type Premium Advanced 1.58 and earlier
- Movable Type Premium Cloud Edition 1.58 and earlier
- Movable Type Cloud Edition (Version 7) r.5405 and earlier
|
|
|
An arbitrary script may be executed on a logged-in user's web browser.
|
|
[Update the Software]
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain fix for this vulnerability:
- Movable Type 7 r.5501 (Movable Type 7 Series)
- Movable Type Advanced 7 r.5501 (Movable Type 7 Series)
- Movable Type Premium 1.59
- Movable Type Premium Advanced 1.59
- Movable Type Cloud Edition (Version 7) r.5501
- Movable Type Premium Cloud Edition 1.59
For more information, refer to the information provided by the developer.
|
|
Six Apart, Ltd.
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2023-45746
|
|
- JVN : JVN#39139884
|
|
- [2023/10/25]
Web page was published
|
