Published:2012/02/23 Last Updated:2012/02/23
JVN#70683217
Movable Type vulnerable to cross-site request forgery
Overview
Movable Type contains a cross-site request forgery vulnerability.
Products Affected
Version 5.12, 5.06, 4.37, 4.292 and earlier of the products listed below are vulnerable.
- Movable Type Open Source
- Movable Type (with Professional Pack, Community Pack)
- Movable Type Enterprise
- Movable Type Advanced
Description
Movable Type contains a cross-site request forgery vulnerability in entering comments and community functionality.
Impact
If a user views a malicious page while logged in, settings may be changed, data may be viewed or altered.
Solution
Update the software
Update to the latest version for each product according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Six Apart KK | Movable Type 5.13, 5.07, and 4.38 Release Notes |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2012-0317 |
| JVN iPedia |
JVNDB-2012-000015 |