[Japanese]

JVNDB-2012-000017

Movable Type vulnerable to OS command injection

Overview

Movable Type contains an OS command injection vulnerability.

Movable Type contains an OS command injection vulnerability in its file management system.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Version 5.12, 5.06, 4.37, 4.292 and earlier of the products listed below are vulnerable.

Six Apart, Ltd.
  • Movable Type Open Source
  • Movable Type (with Professional Pack, Community Pack)
  • Movable Type Enterprise
  • Movable Type Advanced

For more information, refer to the information provided by the developer.
Impact

A user with a privilege to upload files may execute an arbitrary OS command.
Solution

[Update the software]
Update to the latest version of each product according to the information provided by the developer.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-0319
References

  1. JVN : JVN#92683325
  2. National Vulnerability Database (NVD) : CVE-2012-0319
Revision History

  • [2012/02/23]
      Web page was published.