JVNDB-2023-000105

Movable Type vulnerable to cross-site scripting

Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability (CWE-79).

Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.

Six Apart, Ltd.

• Movable Type 7 r.5405 and earlier (Movable Type 7 Series)
• Movable Type Cloud Edition (Version 7) r.5405 and earlier
• Movable Type Premium Cloud Edition 1.58 and earlier
• Movable Type Advanced 7 r.5405 and earlier (Movable Type 7 Series)
• Movable Type Premium 1.58 and earlier
• Movable Type Premium Advanced 1.58 and earlier

An arbitrary script may be executed on a logged-in user's web browser.

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain fix for this vulnerability:

• Movable Type 7 r.5501 (Movable Type 7 Series)
  
• Movable Type Advanced 7 r.5501 (Movable Type 7 Series)
  
• Movable Type Premium 1.59
  
• Movable Type Premium Advanced 1.59
  
• Movable Type Cloud Edition (Version 7) r.5501
  
• Movable Type Premium Cloud Edition 1.59
  

For more information, refer to the information provided by the developer.

Six Apart, Ltd.

• JVN : Information from Six Apart Ltd.
• MOVABLETYPE NEWS : MOVABLE TYPE 7 R.5501 (7.902.0): SECURITY UPDATE

1. Cross-site Scripting(CWE-79) [IPA Evaluation]

1. CVE-2023-45746

1. JVN : JVN#39139884
2. National Vulnerability Database (NVD) : CVE-2023-45746

• [2023/10/25]
    Web page was published
• [2024/05/10]
    References : Contents were added