[Japanese]

JVNDB-2025-000014

Multiple cross-site scripting vulnerabilities in Movable Type

Overview

Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.
  • Stored cross-site scripting vulnerability in the custom block edit page of MT Block Editor (CWE-79) - CVE-2025-22888

  • Stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor (CWE-79) - CVE-2025-24841

    • affected when TinyMCE6 is used as a rich text editor

  • Reflected cross-site scripting vulnerability in the user information edit page (CWE-79) - CVE-2025-25054

    • affected when Multi-Factor authentication plugin for Sign-in is enabled


LEE BEOMSEOK of KOIWAI DAIRY PRODUCTS CO., LTD. found and reported CVE-2025-25054 to Six Apart Ltd. directly.
Six Apart Ltd. found CVE-2025-22888 and CVE-2025-24841.
Six Apart Ltd. coordinated with JPCERT/CC to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-25054

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-22888

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-24841
Affected Products


Six Apart, Ltd.
  • Movable Type 8.4.1 and earlier (8.4.x series)
  • Movable Type 8.0.5 and earlier (8.0.x series)
  • Movable Type Cloud Edition 8.4.1 and earlier (8.x series)
  • Movable Type Advanced 8.4.1 and earlier (8.4.x series)
  • Movable Type Advanced 8.0.5 and earlier (8.0.x series)
  • Movable Type Premium 2.06 and earlier (2.x series)
  • Movable Type Premium Cloud Edition 2.06 and earlier (2.x series)
  • Movable Type Premium (Advanced Edition) 2.06 and earlier (2.x series)

Impact

  • An arbitrary script may be executed on a logged-in user's web browser (CVE-2025-22888, CVE-2025-24841)

  • If a user accesses a crafted page while logged in to the affected product, an arbitrary script may be executed on the web browser of the user (CVE-2025-25054)
Solution

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain fixes for these vulnerabilities:
  • Movable Type
    • 8.4.2 (8.4.x series)
    • 8.0.6 (8.0.x series)

  • Movable Type Advanced
    • 8.4.2 (8.4.x series)
    • 8.0.6 (8.0.x series)

  • Movable Type Premium 2.07 (2.x series)

  • Movable Type Premium (Advanced Edition) 2.07 (2.x series)

  • Movable Type Cloud Edition 8.5.0 (8.x series)

  • Movable Type Premium Cloud Edition 2.07 (2.x series)

For more details, refer to the information provided by the developer.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-22888
  2. CVE-2025-24841
  3. CVE-2025-25054
References

  1. JVN : JVN#48742353
Revision History

  • [2025/02/19]
      Web page was published

Date Public2025/02/19
Date First Published2025/02/19
Date Last Updated2025/02/19