Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-5528

Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and earlier (Movable Type Advanced 7), Movable Type Advanced 6.5.2 and earlier (Movable Type Advanced 6.5), Movable Type Premium 1.26 and earlier (Movable Type Premium), and Movable Type Premium Advanced 1.26 and earlier (Movable Type Premium Advanced)) allows remote attackers to inject arbitrary web script or HTML in the block editor and the rich text editor via a specially crafted URL.

Published

2020-02-06T10:15:11.570

Last Modified

2024-11-21T05:34:13.180

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sixapart	movable_type	≤ 6.5.2	Yes
Application	sixapart	movable_type	≤ 7.1.4	Yes
Application	sixapart	movable_type	≤ 1.26	Yes
Application	sixapart	movable_type	≤ 1.26	Yes
Application	sixapart	movable_type	≤ 6.5.2	Yes
Application	sixapart	movable_type	≤ 7.1.4	Yes

References

http://jvn.jp/en/jp/JVN94435544/index.html Third Party Advisory ([email protected])
https://movabletype.org/news/2020/02/movable_type_r4605_v720_v653_and_v6311_released.html Third Party Advisory ([email protected])
http://jvn.jp/en/jp/JVN94435544/index.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://movabletype.org/news/2020/02/movable_type_r4605_v720_v653_and_v6311_released.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)