Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
48 vulnerabilities by sixapart
CVE-2026-25776 (GCVE-0-2026-25776)
Vulnerability from cvelistv5 – Published: 2026-04-08 08:52 – Updated: 2026-04-08 13:22
VLAI
Summary
Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Code injection
Assigner
References
Impacted products
21 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T13:21:57.431441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T13:22:04.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.1.0 and earlier"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.0.6 and earlier"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.8.2 and earlier"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.0.9 and earlier"
}
]
},
{
"product": "Movable Type Advanced",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.1.0 and earlier"
}
]
},
{
"product": "Movable Type Advanced",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.0.6 and earlier"
}
]
},
{
"product": "Movable Type Advanced",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.8.2 and earlier"
}
]
},
{
"product": "Movable Type Advanced",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.0.9 and earlier"
}
]
},
{
"product": "Movable Type Premium",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.1.0 and earlier"
}
]
},
{
"product": "Movable Type Premium",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.0.6 and earlier"
}
]
},
{
"product": "Movable Type Premium Advanced Edition",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.1.0 and earlier"
}
]
},
{
"product": "Movable Type Premium Advanced Edition",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.0.6 and earlier"
}
]
},
{
"product": "Movable Type Premium",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "2.14 and earlier"
}
]
},
{
"product": "Movable Type Premium Advanced Edition",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "2.14 and earlier"
}
]
},
{
"product": "Movable Type Premium (MT8-based)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "2.14 and earlier"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "5.1 to 5.18"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"status": "affected",
"version": "5.2.1 to 5.2.13"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"status": "affected",
"version": "6.0.1 to 6.8.8"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "7 r.4207 to r.5510"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.4.0 to 8.4.4"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "1.0 to 1.68"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code injection",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T08:52:15.469Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://movabletype.org/news/2026/04/mt-907-released.html"
},
{
"url": "https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html"
},
{
"url": "https://jvn.jp/en/jp/JVN66473735/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-25776",
"datePublished": "2026-04-08T08:52:15.469Z",
"dateReserved": "2026-03-26T01:06:12.957Z",
"dateUpdated": "2026-04-08T13:22:04.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33088 (GCVE-0-2026-33088)
Vulnerability from cvelistv5 – Published: 2026-04-08 08:51 – Updated: 2026-04-08 13:31
VLAI
Summary
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper neutralization of special elements used in an SQL command ('SQL Injection')
Assigner
References
Impacted products
21 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T13:31:00.450725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T13:31:08.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.1.0 and earlier"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.0.6 and earlier"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.8.2 and earlier"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.0.9 and earlier"
}
]
},
{
"product": "Movable Type Advanced",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.1.0 and earlier"
}
]
},
{
"product": "Movable Type Advanced",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.0.6 and earlier"
}
]
},
{
"product": "Movable Type Advanced",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.8.2 and earlier"
}
]
},
{
"product": "Movable Type Advanced",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.0.9 and earlier"
}
]
},
{
"product": "Movable Type Premium",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.1.0 and earlier"
}
]
},
{
"product": "Movable Type Premium",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.0.6 and earlier"
}
]
},
{
"product": "Movable Type Premium Advanced Edition",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.1.0 and earlier"
}
]
},
{
"product": "Movable Type Premium Advanced Edition",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "9.0.6 and earlier"
}
]
},
{
"product": "Movable Type Premium",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "2.14 and earlier"
}
]
},
{
"product": "Movable Type Premium Advanced Edition",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "2.14 and earlier"
}
]
},
{
"product": "Movable Type Premium (MT8-based)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "2.14 and earlier"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "5.1 to 5.18"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"status": "affected",
"version": "5.2.1 to 5.2.13"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"status": "affected",
"version": "6.0.1 to 6.8.8"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "7 r.4207 to r.5510"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "8.4.0 to 8.4.4"
}
]
},
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "1.0 to 1.68"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T08:51:45.916Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://movabletype.org/news/2026/04/mt-907-released.html"
},
{
"url": "https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html"
},
{
"url": "https://jvn.jp/en/jp/JVN66473735/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-33088",
"datePublished": "2026-04-08T08:51:45.916Z",
"dateReserved": "2026-03-26T01:06:13.982Z",
"dateUpdated": "2026-04-08T13:31:08.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-45746 (GCVE-0-2023-45746)
Vulnerability from cvelistv5 – Published: 2023-10-30 04:57 – Updated: 2024-10-29 18:23
VLAI
Summary
Cross-site scripting vulnerability in Movable Type series allows a remote authenticated attacker to inject an arbitrary script. Affected products/versions are as follows: Movable Type 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Premium 1.58 and earlier, Movable Type Premium Advanced 1.58 and earlier, Movable Type Cloud Edition (Version 7) r.5405 and earlier, and Movable Type Premium Cloud Edition 1.58 and earlier.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Cross-site scripting (XSS)
Assigner
References
2 references
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type 7 (Movable Type 7 Series) |
Affected:
r.5405 and earlier
|
|
| Six Apart Ltd. | Movable Type Advanced 7 (Movable Type 7 Series) |
Affected:
r.5405 and earlier
|
|
| Six Apart Ltd. | Movable Type Premium |
Affected:
1.58 and earlier
|
|
| Six Apart Ltd. | Movable Type Premium Advanced |
Affected:
1.58 and earlier
|
|
| Six Apart Ltd. | Movable Type Cloud Edition (Version 7) |
Affected:
r.5405 and earlier
|
|
| Six Apart Ltd. | Movable Type Premium Cloud Edition |
Affected:
1.58 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://movabletype.org/news/2023/10/mt-79020-released.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN39139884/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-45746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T19:30:04.872226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T18:23:10.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Movable Type 7 (Movable Type 7 Series)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "r.5405 and earlier"
}
]
},
{
"product": "Movable Type Advanced 7 (Movable Type 7 Series)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "r.5405 and earlier"
}
]
},
{
"product": "Movable Type Premium",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "1.58 and earlier"
}
]
},
{
"product": "Movable Type Premium Advanced",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "1.58 and earlier"
}
]
},
{
"product": "Movable Type Cloud Edition (Version 7)",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "r.5405 and earlier"
}
]
},
{
"product": "Movable Type Premium Cloud Edition",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "1.58 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Movable Type series allows a remote authenticated attacker to inject an arbitrary script. Affected products/versions are as follows: Movable Type 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Premium 1.58 and earlier, Movable Type Premium Advanced 1.58 and earlier, Movable Type Cloud Edition (Version 7) r.5405 and earlier, and Movable Type Premium Cloud Edition 1.58 and earlier."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T04:57:43.561Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://movabletype.org/news/2023/10/mt-79020-released.html"
},
{
"url": "https://jvn.jp/en/jp/JVN39139884/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-45746",
"datePublished": "2023-10-30T04:57:43.561Z",
"dateReserved": "2023-10-12T05:42:52.133Z",
"dateUpdated": "2024-10-29T18:23:10.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45113 (GCVE-0-2022-45113)
Vulnerability from cvelistv5 – Published: 2022-12-07 00:00 – Updated: 2025-04-23 15:50
VLAI
Summary
Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Having a user to access a specially crafted URL may allow a remote unauthenticated attacker to set a specially crafted URL to the Reset Password page and conduct a phishing attack. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Validation of Syntactic Correctness of Input
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://movabletype.org/news/2022/11/mt-796-688-released.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN37014768/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:49:05.817049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T15:50:21.256Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Having a user to access a specially crafted URL may allow a remote unauthenticated attacker to set a specially crafted URL to the Reset Password page and conduct a phishing attack. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Validation of Syntactic Correctness of Input",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://movabletype.org/news/2022/11/mt-796-688-released.html"
},
{
"url": "https://jvn.jp/en/jp/JVN37014768/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-45113",
"datePublished": "2022-12-07T00:00:00.000Z",
"dateReserved": "2022-11-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T15:50:21.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43660 (GCVE-0-2022-43660)
Vulnerability from cvelistv5 – Published: 2022-12-07 00:00 – Updated: 2025-04-23 14:10
VLAI
Summary
Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an arbitrary Perl script and/or an arbitrary OS command. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://movabletype.org/news/2022/11/mt-796-688-released.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN37014768/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43660",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:09:58.389409Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T14:10:58.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of \u0027Manage of Content Types\u0027 may execute an arbitrary Perl script and/or an arbitrary OS command. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://movabletype.org/news/2022/11/mt-796-688-released.html"
},
{
"url": "https://jvn.jp/en/jp/JVN37014768/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-43660",
"datePublished": "2022-12-07T00:00:00.000Z",
"dateReserved": "2022-11-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T14:10:58.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45122 (GCVE-0-2022-45122)
Vulnerability from cvelistv5 – Published: 2022-12-07 00:00 – Updated: 2025-04-23 19:03
VLAI
Summary
Cross-site scripting vulnerability in Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier allows a remote unauthenticated attacker to inject an arbitrary script.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Cross-site scripting
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://movabletype.org/news/2022/11/mt-796-688-released.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN37014768/index.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45122",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T19:02:35.105619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:03:12.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier allows a remote unauthenticated attacker to inject an arbitrary script."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T00:00:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://movabletype.org/news/2022/11/mt-796-688-released.html"
},
{
"url": "https://jvn.jp/en/jp/JVN37014768/index.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-45122",
"datePublished": "2022-12-07T00:00:00.000Z",
"dateReserved": "2022-11-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:03:12.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-38078 (GCVE-0-2022-38078)
Vulnerability from cvelistv5 – Published: 2022-08-24 08:40 – Updated: 2024-08-03 10:45
VLAI
Summary
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
Severity
No CVSS data available.
CWE
- Command Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2022/08/mt-795-687-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN57728859/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type XMLRPC API |
Affected:
Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:52.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2022/08/mt-795-687-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN57728859/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type XMLRPC API",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-24T08:40:42.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2022/08/mt-795-687-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN57728859/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-38078",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type XMLRPC API",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2022/08/mt-795-687-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2022/08/mt-795-687-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN57728859/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN57728859/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-38078",
"datePublished": "2022-08-24T08:40:42.000Z",
"dateReserved": "2022-08-22T00:00:00.000Z",
"dateUpdated": "2024-08-03T10:45:52.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5669 (GCVE-0-2020-5669)
Vulnerability from cvelistv5 – Published: 2021-10-26 10:10 – Updated: 2024-08-04 08:39
VLAI
Summary
Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.sixapart.jp/movabletype/news/2020/11/… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN94245475/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sixapart.jp/movabletype/news/2020/11/18-1101.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN94245475/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T10:10:10.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sixapart.jp/movabletype/news/2020/11/18-1101.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN94245475/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5669",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.sixapart.jp/movabletype/news/2020/11/18-1101.html",
"refsource": "MISC",
"url": "https://www.sixapart.jp/movabletype/news/2020/11/18-1101.html"
},
{
"name": "https://jvn.jp/en/jp/JVN94245475/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN94245475/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5669",
"datePublished": "2021-10-26T10:10:10.000Z",
"dateReserved": "2020-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:39:25.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20837 (GCVE-0-2021-20837)
Vulnerability from cvelistv5 – Published: 2021-10-26 05:15 – Updated: 2024-08-03 17:53
VLAI
KEVintel KEV
Summary
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
Severity
No CVSS data available.
CWE
- OS Command Injection
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2021/10/mt-782-683-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN41119755/index.html | x_refsource_MISC |
| http://packetstormsecurity.com/files/164705/Movab… | x_refsource_MISC |
| http://packetstormsecurity.com/files/164818/Movab… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2021/10/mt-782-683-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN41119755/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "OS Command Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-09T19:06:17.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2021/10/mt-782-683-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN41119755/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20837",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2021/10/mt-782-683-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2021/10/mt-782-683-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN41119755/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN41119755/index.html"
},
{
"name": "http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html"
},
{
"name": "http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20837",
"datePublished": "2021-10-26T05:15:12.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:22.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20815 (GCVE-0-2021-20815)
Vulnerability from cvelistv5 – Published: 2021-08-26 01:20 – Updated: 2024-08-03 17:53
VLAI
Summary
Cross-site scripting vulnerability in Edit Boilerplate screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2021/08/mt-780-681-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN97545738/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Edit Boilerplate screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-26T01:20:46.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20815",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Edit Boilerplate screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2021/08/mt-780-681-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN97545738/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20815",
"datePublished": "2021-08-26T01:20:46.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:22.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20814 (GCVE-0-2021-20814)
Vulnerability from cvelistv5 – Published: 2021-08-26 01:20 – Updated: 2024-08-03 17:53
VLAI
Summary
Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), and Movable Type Premium 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2021/08/mt-780-681-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN97545738/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), and Movable Type Premium 1.44 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), and Movable Type Premium 1.44 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), and Movable Type Premium 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-26T01:20:44.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20814",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), and Movable Type Premium 1.44 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), and Movable Type Premium 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2021/08/mt-780-681-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN97545738/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20814",
"datePublished": "2021-08-26T01:20:44.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:22.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20813 (GCVE-0-2021-20813)
Vulnerability from cvelistv5 – Published: 2021-08-26 01:20 – Updated: 2024-08-03 17:53
VLAI
Summary
Cross-site scripting vulnerability in Edit screen of Content Data of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series)) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2021/08/mt-780-681-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN97545738/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.533Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Edit screen of Content Data of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series)) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-26T01:20:42.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20813",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series)"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Edit screen of Content Data of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series)) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2021/08/mt-780-681-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN97545738/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20813",
"datePublished": "2021-08-26T01:20:42.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:22.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20812 (GCVE-0-2021-20812)
Vulnerability from cvelistv5 – Published: 2021-08-26 01:20 – Updated: 2024-08-03 17:53
VLAI
Summary
Cross-site scripting vulnerability in Setting screen of Server Sync of Movable Type (Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2021/08/mt-780-681-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN97545738/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Setting screen of Server Sync of Movable Type (Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-26T01:20:41.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20812",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Setting screen of Server Sync of Movable Type (Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2021/08/mt-780-681-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN97545738/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20812",
"datePublished": "2021-08-26T01:20:41.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:22.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20811 (GCVE-0-2021-20811)
Vulnerability from cvelistv5 – Published: 2021-08-26 01:20 – Updated: 2024-08-03 17:53
VLAI
Summary
Cross-site scripting vulnerability in List of Assets screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2021/08/mt-780-681-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN97545738/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in List of Assets screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-26T01:20:39.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20811",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in List of Assets screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2021/08/mt-780-681-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN97545738/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20811",
"datePublished": "2021-08-26T01:20:39.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:22.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20810 (GCVE-0-2021-20810)
Vulnerability from cvelistv5 – Published: 2021-08-26 01:20 – Updated: 2024-08-03 17:53
VLAI
Summary
Cross-site scripting vulnerability in Website Management screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2021/08/mt-780-681-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN97545738/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Website Management screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-26T01:20:37.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20810",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Website Management screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2021/08/mt-780-681-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN97545738/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20810",
"datePublished": "2021-08-26T01:20:38.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:22.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20809 (GCVE-0-2021-20809)
Vulnerability from cvelistv5 – Published: 2021-08-26 01:20 – Updated: 2024-08-03 17:53
VLAI
Summary
Cross-site scripting vulnerability in Create screens of Entry, Page, and Content Type of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2021/08/mt-780-681-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN97545738/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.889Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Create screens of Entry, Page, and Content Type of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-26T01:20:35.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20809",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Create screens of Entry, Page, and Content Type of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2021/08/mt-780-681-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN97545738/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20809",
"datePublished": "2021-08-26T01:20:35.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:22.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20808 (GCVE-0-2021-20808)
Vulnerability from cvelistv5 – Published: 2021-08-26 01:20 – Updated: 2024-08-03 17:53
VLAI
Summary
Cross-site scripting vulnerability in Search screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2021/08/mt-780-681-r… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN97545738/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:23.060Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Search screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-26T01:20:32.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20808",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Search screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2021/08/mt-780-681-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2021/08/mt-780-681-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN97545738/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN97545738/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20808",
"datePublished": "2021-08-26T01:20:32.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:23.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5577 (GCVE-0-2020-5577)
Vulnerability from cvelistv5 – Published: 2020-05-14 01:00 – Updated: 2024-08-04 08:30
VLAI
Summary
Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allow remote authenticated attackers to upload arbitrary files and execute a php script via unspecified vectors.
Severity
No CVSS data available.
CWE
- Unrestricted Upload of File with Dangerous Type
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2020/05/mt-730-660-6… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN28806943/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allow remote authenticated attackers to upload arbitrary files and execute a php script via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-14T01:00:22.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5577",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allow remote authenticated attackers to upload arbitrary files and execute a php script via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN28806943/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5577",
"datePublished": "2020-05-14T01:00:22.000Z",
"dateReserved": "2020-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:30:24.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5576 (GCVE-0-2020-5576)
Vulnerability from cvelistv5 – Published: 2020-05-14 01:00 – Updated: 2024-08-04 08:30
VLAI
Summary
Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to hijack the authentication of administrators via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site request forgery
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2020/05/mt-730-660-6… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN28806943/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.817Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-14T01:00:21.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5576",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN28806943/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5576",
"datePublished": "2020-05-14T01:00:22.000Z",
"dateReserved": "2020-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:30:24.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5574 (GCVE-0-2020-5574)
Vulnerability from cvelistv5 – Published: 2020-05-14 01:00 – Updated: 2024-08-04 08:30
VLAI
Summary
HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary HTML attribute value via unspecified vectors.
Severity
No CVSS data available.
CWE
- Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2020/05/mt-730-660-6… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN28806943/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary HTML attribute value via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-14T01:00:21.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5574",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary HTML attribute value via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN28806943/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5574",
"datePublished": "2020-05-14T01:00:21.000Z",
"dateReserved": "2020-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:30:24.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5575 (GCVE-0-2020-5575)
Vulnerability from cvelistv5 – Published: 2020-05-14 01:00 – Updated: 2024-08-04 08:30
VLAI
Summary
Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2020/05/mt-730-660-6… | x_refsource_MISC |
| https://jvn.jp/en/jp/JVN28806943/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd. | Movable Type |
Affected:
Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.605Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart Ltd.",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-14T01:00:21.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5575",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2020/05/mt-730-660-6312-released.html"
},
{
"name": "https://jvn.jp/en/jp/JVN28806943/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN28806943/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5575",
"datePublished": "2020-05-14T01:00:21.000Z",
"dateReserved": "2020-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:30:24.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5528 (GCVE-0-2020-5528)
Vulnerability from cvelistv5 – Published: 2020-02-06 09:30 – Updated: 2024-08-04 08:30
VLAI
Summary
Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and earlier (Movable Type Advanced 7), Movable Type Advanced 6.5.2 and earlier (Movable Type Advanced 6.5), Movable Type Premium 1.26 and earlier (Movable Type Premium), and Movable Type Premium Advanced 1.26 and earlier (Movable Type Premium Advanced)) allows remote attackers to inject arbitrary web script or HTML in the block editor and the rich text editor via a specially crafted URL.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2020/02/movable_type… | x_refsource_MISC |
| http://jvn.jp/en/jp/JVN94435544/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd | Movable Type series |
Affected:
Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and earlier (Movable Type Advanced 7), Movable Type Advanced 6.5.2 and earlier (Movable Type Advanced 6.5), Movable Type Premium 1.26 and earlier (Movable Type Premium), and Movable Type Premium Advanced 1.26 and earlier (Movable Type Premium Advanced)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2020/02/movable_type_r4605_v720_v653_and_v6311_released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN94435544/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type series",
"vendor": "Six Apart Ltd",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and earlier (Movable Type Advanced 7), Movable Type Advanced 6.5.2 and earlier (Movable Type Advanced 6.5), Movable Type Premium 1.26 and earlier (Movable Type Premium), and Movable Type Premium Advanced 1.26 and earlier (Movable Type Premium Advanced)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and earlier (Movable Type Advanced 7), Movable Type Advanced 6.5.2 and earlier (Movable Type Advanced 6.5), Movable Type Premium 1.26 and earlier (Movable Type Premium), and Movable Type Premium Advanced 1.26 and earlier (Movable Type Premium Advanced)) allows remote attackers to inject arbitrary web script or HTML in the block editor and the rich text editor via a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-06T09:30:14.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2020/02/movable_type_r4605_v720_v653_and_v6311_released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jvn.jp/en/jp/JVN94435544/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5528",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type series",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and earlier (Movable Type Advanced 7), Movable Type Advanced 6.5.2 and earlier (Movable Type Advanced 6.5), Movable Type Premium 1.26 and earlier (Movable Type Premium), and Movable Type Premium Advanced 1.26 and earlier (Movable Type Premium Advanced)"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and earlier (Movable Type Advanced 7), Movable Type Advanced 6.5.2 and earlier (Movable Type Advanced 6.5), Movable Type Premium 1.26 and earlier (Movable Type Premium), and Movable Type Premium Advanced 1.26 and earlier (Movable Type Premium Advanced)) allows remote attackers to inject arbitrary web script or HTML in the block editor and the rich text editor via a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2020/02/movable_type_r4605_v720_v653_and_v6311_released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2020/02/movable_type_r4605_v720_v653_and_v6311_released.html"
},
{
"name": "http://jvn.jp/en/jp/JVN94435544/index.html",
"refsource": "MISC",
"url": "http://jvn.jp/en/jp/JVN94435544/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5528",
"datePublished": "2020-02-06T09:30:14.000Z",
"dateReserved": "2020-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:30:24.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-6025 (GCVE-0-2019-6025)
Vulnerability from cvelistv5 – Published: 2019-12-26 15:16 – Updated: 2024-08-04 20:16
VLAI
Summary
Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Advanced 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type Advanced 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type Advanced 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Premium 1.24 and earlier (Movable Type Premium), and Movable Type Premium (Advanced Edition) 1.24 and earlier (Movable Type Premium) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.
Severity
No CVSS data available.
CWE
- Open Redirect
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://movabletype.org/news/2019/11/movable_type… | x_refsource_MISC |
| http://jvn.jp/en/jp/JVN65280626/index.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart Ltd | Movable Type series |
Affected:
Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Advanced 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type Advanced 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type Advanced 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Premium 1.24 and earlier (Movable Type Premium), and Movable Type Premium (Advanced Edition) 1.24 and earlier (Movable Type Premium)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:16:23.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/news/2019/11/movable_type_r4603_v714_v652_and_v6310_released.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN65280626/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type series",
"vendor": "Six Apart Ltd",
"versions": [
{
"status": "affected",
"version": "Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Advanced 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type Advanced 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type Advanced 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Premium 1.24 and earlier (Movable Type Premium), and Movable Type Premium (Advanced Edition) 1.24 and earlier (Movable Type Premium)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Advanced 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type Advanced 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type Advanced 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Premium 1.24 and earlier (Movable Type Premium), and Movable Type Premium (Advanced Edition) 1.24 and earlier (Movable Type Premium) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-26T15:16:50.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/news/2019/11/movable_type_r4603_v714_v652_and_v6310_released.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jvn.jp/en/jp/JVN65280626/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2019-6025",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type series",
"version": {
"version_data": [
{
"version_value": "Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Advanced 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type Advanced 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type Advanced 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Premium 1.24 and earlier (Movable Type Premium), and Movable Type Premium (Advanced Edition) 1.24 and earlier (Movable Type Premium)"
}
]
}
}
]
},
"vendor_name": "Six Apart Ltd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Advanced 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type Advanced 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type Advanced 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movable Type Premium 1.24 and earlier (Movable Type Premium), and Movable Type Premium (Advanced Edition) 1.24 and earlier (Movable Type Premium) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://movabletype.org/news/2019/11/movable_type_r4603_v714_v652_and_v6310_released.html",
"refsource": "MISC",
"url": "https://movabletype.org/news/2019/11/movable_type_r4603_v714_v652_and_v6310_released.html"
},
{
"name": "http://jvn.jp/en/jp/JVN65280626/index.html",
"refsource": "MISC",
"url": "http://jvn.jp/en/jp/JVN65280626/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2019-6025",
"datePublished": "2019-12-26T15:16:50.000Z",
"dateReserved": "2019-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-04T20:16:23.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0672 (GCVE-0-2018-0672)
Vulnerability from cvelistv5 – Published: 2018-09-04 13:00 – Updated: 2024-08-05 03:35
VLAI
Summary
Cross-site scripting vulnerability in Movable Type versions prior to Ver. 6.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
1 reference
| URL | Tags |
|---|---|
| http://jvn.jp/en/jp/JVN89550319/index.html | third-party-advisoryx_refsource_JVN |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Six Apart, Ltd. | Movable Type |
Affected:
versions prior to Ver. 6.3.1
|
Date Public
2018-08-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:48.727Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#89550319",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN89550319/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Movable Type",
"vendor": "Six Apart, Ltd.",
"versions": [
{
"status": "affected",
"version": "versions prior to Ver. 6.3.1"
}
]
}
],
"datePublic": "2018-08-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Movable Type versions prior to Ver. 6.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-04T12:57:01.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#89550319",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN89550319/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0672",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Movable Type",
"version": {
"version_data": [
{
"version_value": "versions prior to Ver. 6.3.1"
}
]
}
}
]
},
"vendor_name": "Six Apart, Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Movable Type versions prior to Ver. 6.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#89550319",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN89550319/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0672",
"datePublished": "2018-09-04T13:00:00.000Z",
"dateReserved": "2017-11-27T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:35:48.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-5742 (GCVE-0-2016-5742)
Vulnerability from cvelistv5 – Published: 2017-01-23 21:00 – Updated: 2024-08-06 01:07
VLAI
Summary
SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before 6.2.6 and Movable Type Open Source 5.2.13 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2016/06/22/5 | mailing-listx_refsource_MLIST |
| http://www.securitytracker.com/id/1036160 | vdb-entryx_refsource_SECTRACK |
| http://www.openwall.com/lists/oss-security/2016/06/22/3 | mailing-listx_refsource_MLIST |
| https://movabletype.org/news/2016/06/movable_type… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2016/06/22/6 | mailing-listx_refsource_MLIST |
Date Public
2016-06-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:07:59.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160622 Re: CVE request: SQL injection in MovableType xml-rpc interface",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/06/22/5"
},
{
"name": "1036160",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1036160"
},
{
"name": "[oss-security] 20160622 CVE request: SQL injection in MovableType xml-rpc interface",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/06/22/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html"
},
{
"name": "[oss-security] 20160622 Re: CVE request: SQL injection in MovableType xml-rpc interface",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/06/22/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-06-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before 6.2.6 and Movable Type Open Source 5.2.13 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-31T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20160622 Re: CVE request: SQL injection in MovableType xml-rpc interface",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/06/22/5"
},
{
"name": "1036160",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1036160"
},
{
"name": "[oss-security] 20160622 CVE request: SQL injection in MovableType xml-rpc interface",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/06/22/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html"
},
{
"name": "[oss-security] 20160622 Re: CVE request: SQL injection in MovableType xml-rpc interface",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/06/22/6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-5742",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before 6.2.6 and Movable Type Open Source 5.2.13 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160622 Re: CVE request: SQL injection in MovableType xml-rpc interface",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/06/22/5"
},
{
"name": "1036160",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1036160"
},
{
"name": "[oss-security] 20160622 CVE request: SQL injection in MovableType xml-rpc interface",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/06/22/3"
},
{
"name": "https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html",
"refsource": "CONFIRM",
"url": "https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html"
},
{
"name": "[oss-security] 20160622 Re: CVE request: SQL injection in MovableType xml-rpc interface",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/06/22/6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-5742",
"datePublished": "2017-01-23T21:00:00.000Z",
"dateReserved": "2016-06-22T00:00:00.000Z",
"dateUpdated": "2024-08-06T01:07:59.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-0845 (GCVE-0-2015-0845)
Vulnerability from cvelistv5 – Published: 2015-04-17 17:00 – Updated: 2024-08-06 04:26
VLAI
Summary
Format string vulnerability in Movable Type Pro, Open Source, and Advanced before 5.2.13 and Pro and Advanced 6.0.x before 6.0.8 allows remote attackers to execute arbitrary code via vectors related to localization of templates.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| http://www.debian.org/security/2015/dsa-3227 | vendor-advisoryx_refsource_DEBIAN |
| http://www.securitytracker.com/id/1032153 | vdb-entryx_refsource_SECTRACK |
| https://movabletype.org/news/2015/04/movable_type… | x_refsource_CONFIRM |
Date Public
2015-04-14 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:26:10.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3227",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3227"
},
{
"name": "1032153",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1032153"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://movabletype.org/news/2015/04/movable_type_608_and_5213_released_to_close_security_vulnera.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-04-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Format string vulnerability in Movable Type Pro, Open Source, and Advanced before 5.2.13 and Pro and Advanced 6.0.x before 6.0.8 allows remote attackers to execute arbitrary code via vectors related to localization of templates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-05-04T20:57:00.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "DSA-3227",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3227"
},
{
"name": "1032153",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1032153"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://movabletype.org/news/2015/04/movable_type_608_and_5213_released_to_close_security_vulnera.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2015-0845",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Format string vulnerability in Movable Type Pro, Open Source, and Advanced before 5.2.13 and Pro and Advanced 6.0.x before 6.0.8 allows remote attackers to execute arbitrary code via vectors related to localization of templates."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3227",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3227"
},
{
"name": "1032153",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1032153"
},
{
"name": "https://movabletype.org/news/2015/04/movable_type_608_and_5213_released_to_close_security_vulnera.html",
"refsource": "CONFIRM",
"url": "https://movabletype.org/news/2015/04/movable_type_608_and_5213_released_to_close_security_vulnera.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2015-0845",
"datePublished": "2015-04-17T17:00:00.000Z",
"dateReserved": "2015-01-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:26:10.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2184 (GCVE-0-2013-2184)
Vulnerability from cvelistv5 – Published: 2015-03-27 14:00 – Updated: 2024-08-06 15:27
VLAI
Summary
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://seclists.org/oss-sec/2013/q2/568 | mailing-listx_refsource_MLIST |
| https://movabletype.org/documentation/appendices/… | x_refsource_MISC |
| http://seclists.org/oss-sec/2013/q2/560 | mailing-listx_refsource_MLIST |
| http://www.debian.org/security/2015/dsa-3183 | vendor-advisoryx_refsource_DEBIAN |
Date Public
2013-06-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:41.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20130614 Re: CVE request: MovableType before 5.2.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q2/568"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://movabletype.org/documentation/appendices/release-notes/movable-type-526-release-notes.html"
},
{
"name": "[oss-security] 20130613 CVE request: MovableType before 5.2.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2013/q2/560"
},
{
"name": "DSA-3183",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3183"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-06-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-03-27T11:57:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20130614 Re: CVE request: MovableType before 5.2.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q2/568"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://movabletype.org/documentation/appendices/release-notes/movable-type-526-release-notes.html"
},
{
"name": "[oss-security] 20130613 CVE request: MovableType before 5.2.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2013/q2/560"
},
{
"name": "DSA-3183",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3183"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130614 Re: CVE request: MovableType before 5.2.6",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q2/568"
},
{
"name": "https://movabletype.org/documentation/appendices/release-notes/movable-type-526-release-notes.html",
"refsource": "MISC",
"url": "https://movabletype.org/documentation/appendices/release-notes/movable-type-526-release-notes.html"
},
{
"name": "[oss-security] 20130613 CVE request: MovableType before 5.2.6",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q2/560"
},
{
"name": "DSA-3183",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3183"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2184",
"datePublished": "2015-03-27T14:00:00.000Z",
"dateReserved": "2013-02-19T00:00:00.000Z",
"dateUpdated": "2024-08-06T15:27:41.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1592 (GCVE-0-2015-1592)
Vulnerability from cvelistv5 – Published: 2015-02-19 15:00 – Updated: 2024-08-06 04:47
VLAI
Summary
Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://www.debian.org/security/2015/dsa-3183 | vendor-advisoryx_refsource_DEBIAN |
| http://www.securitytracker.com/id/1031777 | vdb-entryx_refsource_SECTRACK |
| http://www.openwall.com/lists/oss-security/2015/02/12/2 | mailing-listx_refsource_MLIST |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| https://movabletype.org/news/2015/02/movable_type… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/72606 | vdb-entryx_refsource_BID |
| http://www.openwall.com/lists/oss-security/2015/0… | mailing-listx_refsource_MLIST |
Date Public
2015-02-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:17.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3183",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2015/dsa-3183"
},
{
"name": "1031777",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1031777"
},
{
"name": "[oss-security] 20150212 CVE request: MovableType before 5.2.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/02/12/2"
},
{
"name": "movable-type-cve20151592-file-include(100912)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100912"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html"
},
{
"name": "72606",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72606"
},
{
"name": "[oss-security] 20150212 Re: CVE request: MovableType before 5.2.12 - Movable Type",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/02/12/17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T15:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3183",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2015/dsa-3183"
},
{
"name": "1031777",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1031777"
},
{
"name": "[oss-security] 20150212 CVE request: MovableType before 5.2.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/02/12/2"
},
{
"name": "movable-type-cve20151592-file-include(100912)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100912"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html"
},
{
"name": "72606",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72606"
},
{
"name": "[oss-security] 20150212 Re: CVE request: MovableType before 5.2.12 - Movable Type",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/02/12/17"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1592",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3183",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2015/dsa-3183"
},
{
"name": "1031777",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1031777"
},
{
"name": "[oss-security] 20150212 CVE request: MovableType before 5.2.12",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/02/12/2"
},
{
"name": "movable-type-cve20151592-file-include(100912)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100912"
},
{
"name": "https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html",
"refsource": "CONFIRM",
"url": "https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html"
},
{
"name": "72606",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72606"
},
{
"name": "[oss-security] 20150212 Re: CVE request: MovableType before 5.2.12 - Movable Type",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/02/12/17"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1592",
"datePublished": "2015-02-19T15:00:00.000Z",
"dateReserved": "2015-02-12T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:47:17.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9057 (GCVE-0-2014-9057)
Vulnerability from cvelistv5 – Published: 2014-12-16 18:00 – Updated: 2024-08-06 13:33
VLAI
Summary
SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://secunia.com/advisories/61227 | third-party-advisoryx_refsource_SECUNIA |
| https://www.debian.org/security/2015/dsa-3183 | vendor-advisoryx_refsource_DEBIAN |
| https://movabletype.org/news/2014/12/6.0.6.html | x_refsource_CONFIRM |
| https://movabletype.org/documentation/appendices/… | x_refsource_CONFIRM |
Date Public
2014-12-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61227",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61227"
},
{
"name": "DSA-3183",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2015/dsa-3183"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://movabletype.org/news/2014/12/6.0.6.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://movabletype.org/documentation/appendices/release-notes/6.0.6.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-12-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-03-20T13:57:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "61227",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61227"
},
{
"name": "DSA-3183",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2015/dsa-3183"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://movabletype.org/news/2014/12/6.0.6.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://movabletype.org/documentation/appendices/release-notes/6.0.6.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9057",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61227",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61227"
},
{
"name": "DSA-3183",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2015/dsa-3183"
},
{
"name": "https://movabletype.org/news/2014/12/6.0.6.html",
"refsource": "CONFIRM",
"url": "https://movabletype.org/news/2014/12/6.0.6.html"
},
{
"name": "https://movabletype.org/documentation/appendices/release-notes/6.0.6.html",
"refsource": "CONFIRM",
"url": "https://movabletype.org/documentation/appendices/release-notes/6.0.6.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9057",
"datePublished": "2014-12-16T18:00:00.000Z",
"dateReserved": "2014-11-23T00:00:00.000Z",
"dateUpdated": "2024-08-06T13:33:13.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-5313 (GCVE-0-2014-5313)
Vulnerability from cvelistv5 – Published: 2014-09-10 10:00 – Updated: 2024-08-06 11:41
VLAI
Summary
Cross-site scripting (XSS) vulnerability in the management page in Six Apart Movable Type before 5.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| http://jvndb.jvn.jp/jvndb/JVNDB-2014-000104 | third-party-advisoryx_refsource_JVNDB |
| http://jvn.jp/en/jp/JVN73357573/370331/index.html | x_refsource_CONFIRM |
| http://jvn.jp/en/jp/JVN73357573/index.html | third-party-advisoryx_refsource_JVN |
Date Public
2014-09-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:41:47.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVNDB-2014-000104",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000104"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN73357573/370331/index.html"
},
{
"name": "JVN#73357573",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN73357573/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the management page in Six Apart Movable Type before 5.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-09-10T08:57:00.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVNDB-2014-000104",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000104"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://jvn.jp/en/jp/JVN73357573/370331/index.html"
},
{
"name": "JVN#73357573",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN73357573/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2014-5313",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the management page in Six Apart Movable Type before 5.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVNDB-2014-000104",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000104"
},
{
"name": "http://jvn.jp/en/jp/JVN73357573/370331/index.html",
"refsource": "CONFIRM",
"url": "http://jvn.jp/en/jp/JVN73357573/370331/index.html"
},
{
"name": "JVN#73357573",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN73357573/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2014-5313",
"datePublished": "2014-09-10T10:00:00.000Z",
"dateReserved": "2014-08-18T00:00:00.000Z",
"dateUpdated": "2024-08-06T11:41:47.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}