Movable Type vulnerable to cross-site scripting


Movable Type contains a cross-site scripting vulnerability.

Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability due to an issue in the management screen.

This vulnerability is different than the previous vulnerabilities disclosed on JVN.

Takeshi Terada of Mitsui Bussan Secure Directions reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Six Apart, Ltd.
  • Movable Type 4.21 and earlier
  • Movable Type (community_solution) 4.21 and earlier
  • Movable Type (enterprise) 4.21 and earlier
  • Movable Type Open Source 4.21 and earlier


An arbitrary script may be executed on the user's web browser.

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-5845

  1. JVN : JVN#45658190
  2. National Vulnerability Database (NVD) : CVE-2008-5845
Revision History

  • [2011/05/25]
      Web page published