[Japanese]

JVNDB-2025-000090

Multiple stored cross-site scripting vulnerabilities in Movable Type

Overview

Movable Type provided by Six Apart Ltd. contains multiple stored cross-site scripting vulnerabilities listed below.

  • Stored cross-site scripting vulnerability in Edit ContentData page (CWE-79) - CVE-2025-54856

  • Stored cross-site scripting vulnerability in Edit CategorySet of ContentType page (CWE-79) - CVE-2025-62499


Six Apart Ltd. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


Six Apart, Ltd.
  • Movable Type Software Edition 8.4.0 to 8.4.3 (8.4 series)
  • Movable Type Software Edition 8.0.0 to 8.0.7 (8.0 series)
  • Movable Type Software Edition 7 r.5509 and earlier (7 series)
  • Movable Type Cloud Edition 8.7.0 (8 series)
  • Movable Type Cloud Edition 7 r.5509 (7 series)
  • Movable Type Advanced Software Edition 8.4.0 to 8.4.3 (8.4 series)
  • Movable Type Advanced Software Edition 8.0.0 to 8.0.7 (8.0 series)
  • Movable Type Advanced Software Edition 7 r.5509 and earlier (7 series)
  • Movable Type Premium Software Edition 2.10 and earlier (2 series)
  • Movable Type Premium Software Edition 1.67 and earlier (1 series)
  • Movable Type Premium Cloud Edition 2.10 (2 series)
  • Movable Type Premium Cloud Edition 1.67 (1 series)
  • Movable Type Premium (Advanced Edition) Software Edition 2.10 and earlier (2 series)
  • Movable Type Premium (Advanced Edition) Software Edition 1.67 and earlier (1 series)

Impact

If crafted input is stored by an attacker with "ContentType Management" privilege, the following impacts may occur.

  • An arbitrary script may be executed on the web browser of the user who accesses Edit ContentData page (CVE-2025-54856)

  • An arbitrary script may be executed on the web browser of the user who accesses Edit CategorySet of page (CVE-2025-62499)

Solution

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain fixes for these vulnerabilities.
Movable Type Software Edition

  • Movable Type / Movable Type Advanced

    • 8.8.0 (8.8 series)
    • 8.4.4 (8.4 series)
    • 8.0.8 (8.0 series)
    • 7 r.5510 (7 series)

  • Movable Type Premium / Movable Type Premium (Advanced Edition)

    • 2.11 (2 series)
    • 1.68 (1 series)


Movable Type Cloud Edition

  • Movable Type

    • 8.8.0 (8 series)
    • 7 r.5510 (7 series)

  • Movable Type Premium

    • 2.11 (2 series)
    • 1.68 (1 series)


For more details, refer to the information provided by the developer.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-54856
  2. CVE-2025-62499
References

  1. JVN : JVN#24333679
Revision History

  • [2025/10/22]
      Web page was published

Date Public2025/10/22
Date First Published2025/10/22
Date Last Updated2025/10/22