Published:2011/10/31  Last Updated:2012/03/14

Multiple SKYARC System Co., Ltd. products vulnerable to cross-site request forgery


Multiple products provided by SKYARC System Co., Ltd. contain a cross-site request forgery vulnerability.

Products Affected

  • MTCMS version 5.251 and earlier
  • MTCMS Enterprise version 5.251 and earlier
  • MTCMS Smart version 5.251 and earlier

The following pluigins for Movable Type below are also affected:

  • MultiFileuploader version 0.44 and earlier
  • MailPack version 1.741 and earlier
  • EntryImExporter version 1.41 and earlier
  • AutoTagging version 0.08 and earlier
  • AuthorEffective version 1.03 and earlier
  • DuplicateEntry version 1.2 and earlier


MTCMS and multiple Movable Type plugins provided by SKYARC System Co., Ltd. contain a cross-site request forgery vulnerability.


If a user views a malicious page while logged into MTCMS or a Movable Type implementation with any of the plugins from "Products Affected" running, information managed by MTCMS or Movable Type may be altered.


Apply an update
Update to the latest version according to the information provided by the developer.


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2011.10.31

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Mid
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures


Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2011-3994
JVN iPedia JVNDB-2011-000094

Update History

Information under "Products Affected" and "Vendor Status" were updated.
The title was corrected.