Published:2012/02/23 Last Updated:2012/02/23
JVN#20083397
Movable Type vulnerable to session hijacking
Overview
Movable Type contains a session hijacking vulnerability.
Products Affected
Version 5.12, 5.06, 4.37, 4.292 and earlier of the products listed below are vulnerable.
- Movable Type Open Source
- Movable Type (with Professional Pack, Community Pack)
- Movable Type Enterprise
- Movable Type Advanced
Description
Movable Type contains a session hijacking vulnerability in entering comments and community functionality.
Impact
A remote unauthenticated attacker may impersonate an honest user of the affected product.
Solution
Update the software
Update to the latest version of each product according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Six Apart KK | Movable Type 5.13, 5.07, and 4.38 Release Notes |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2012-0320 |
| JVN iPedia |
JVNDB-2012-000018 |