Published:2008/10/17  Last Updated:2011/05/23

Movable Type cross-site scripting vulnerability


Movable Type contains a cross-site scripting vulnerability.

Products Affected

  • Movable Type 4 (version 4.22 and earlier)
  • Movable Type Enterprise 4 (version 4.22 and earlier)
  • Movable Type Community Solution 4 (version 4.22 and earlier)
  • Movable Type 4 (Open Source) (version 4.22 and earlier)
  • Movable Type 3 (version 3.37 and earlier)
  • Movable Type Enterprise 1.5 (version 1.55 and earlier)

  • For more information, refer to the vendor's website.


Movable Type, a web log system from Six Apart KK, contains a vulnerability resulting from the improper handling of the management page that can lead to cross-site scripting.

This vulnerability is different from JVN#30385652.


An arbitrary script may be executed on the blog administrator's web browser.


Update the Software
Update to the latest version according to the information provided by the vendor.

Vendor Status

Vendor Status Last Update Vendor Notes
Six Apart KK vulnerable 2011/05/20


JPCERT/CC Addendum

An updated version addressing this vulnerability was released on December 3, 2008

Vulnerability Analysis by JPCERT/CC

Analyzed on 2008.10.17

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication self-registration, perhaps valid e-mail
  • Mid-High
User Interaction Required the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Mid
Exploit Complexity the user must be convinced to take a difficult or suspicious action. If the honest user must have elevated privileges, they are likely to be more suspiciouse
  • High

Description of each analysis measures


Ryuji Sakai, Tomohito Yoshino and Yoshinori Ohta of Business Architects Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under the Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2008-4634
JVN iPedia JVNDB-2008-000072

Update History

Information under the sections Products Affected, JPCERT/CC Addendum were modified.
Six Apart KK update status