Published:2012/02/23 Last Updated:2012/02/23
JVN#92683325
Movable Type vulnerable to OS command injection
Overview
Movable Type contains an OS command injection vulnerability.
Products Affected
Version 5.12, 5.06, 4.37, 4.292 and earlier of the products listed below are vulnerable.
- Movable Type Open Source
- Movable Type (with Professional Pack, Community Pack)
- Movable Type Enterprise
- Movable Type Advanced
Description
Movable Type contains an OS command injection vulnerability in its file management system.
Impact
A user with a privilege to upload files may execute an arbitrary OS command.
Solution
Update the software
Update to the latest version of each product according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Six Apart KK | Movable Type 5.13, 5.07, and 4.38 Release Notes |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2012-0319 |
| JVN iPedia |
JVNDB-2012-000017 |