JVN#66542874
Multiple cross-site scripting vulnerabilities in Movable Type

Overview

Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities.

Products Affected

CVE-2021-20663, CVE-2021-20664

• Movable Type 7 r.4705 and earlier (Movable Type 7 Series)
• Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series)
• Movable Type 6.7.5 and earlier (Movable Type 6.7 Series)
• Movable Type Premium 1.39 and earlier
• Movable Type Premium Advanced 1.39 and earlier

• Movable Type 7 r.4705 and earlier (Movable Type 7 Series)
• Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series)
• Movable Type Premium 1.39 and earlier
• Movable Type Premium Advanced 1.39 and earlier

Description

Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.

• Cross-site scripting vulnerability in Role authority setting screen (CWE-79) - CVE-2021-20663

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

• Cross-site scripting vulnerability in Asset registration screen (CWE-79) - CVE-2021-20664

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

• Cross-site scripting vulnerability in Add asset screen of Contents field (CWE-79) - CVE-2021-20665

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

Impact

An arbitrary script may be executed on a logged-in user's web browser.

Solution

Update the software
Update to the latest version according to the information provided by the developer.