|
[Japanese]
|
JVNDB-2008-000072
|
Movable Type cross-site scripting vulnerability
|
|
Movable Type contains a cross-site scripting vulnerability.
Movable Type, a web log system from Six Apart KK, contains a vulnerability resulting from the improper handling of the management page that can lead to cross-site scripting.
This vulnerability is different from JVN#30385652.
An updated version addressing this vulnerability was released on December 3, 2008
Ryuji Sakai, Tomohito Yoshino and Yoshinori Ohta of Business Architects Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under the Information Security Early Warning Partnership.
|
|
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
Six Apart, Ltd.
- Movable Type 4 (version 4.22 and earlier)
- Movable Type (community_solution) 4 (version 4.22 and earlier)
- Movable Type (enterprise) 4 (version 4.22 and earlier)
- Movable Type 4 (Open Source) (version 4.22 and earlier)
- Movable Type (enterprise) 1.5 (version 1.55 and earlier)
- Movable Type 3 (version 3.37 and earlier)
|
|
|
An arbitrary script may be executed on the blog administrator's web browser.
|
|
[Update the Software]
Update to the latest version according to the information provided by the vendor.
|
|
Six Apart, Ltd.
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2008-4634
|
|
- JVN : JVN#81490697
- National Vulnerability Database (NVD) : CVE-2008-4634
- Secunia Advisory : SA32305
- SecurityFocus : 31826
- ISS X-Force Database : 45968
- JVN iPedia (Japanese) : JVNDB-2008-000072
|
|
- [2008/10/21]
Web page published
[2008/12/24]
Affected Products : Updated Six Apart (Movable Type 4.22).
[2011/05/31]
Vendor Information : Six Apart (Movable Type 4.23).
|
