JVN#28806943: Multiple vulnerabilities in Movable Type

Overview

Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities.

Products Affected

Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7)
Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7)
Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7)
Movable Type 6.5.3 and earlier (Movable Type 6.5)
Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5)
Movable Type 6.3.11 and earlier (Movable Type 6.3)
Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3)
Movable Type Premium 1.29 and earlier
Movable Type Premium Advanced 1.29 and earlier

Description

Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below.

HTML attribute value injection vulnerability (CWE-74) - CVE-2020-5574

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 4.7

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
Cross-site scripting due to a flaw in processing multiple query strings (CWE-79) - CVE-2020-5575

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Cross-site request forgery (CWE-352) - CVE-2020-5576

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Unrestricted upload of file with specific extentions (CWE-434) - CVE-2020-5577

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Base Score: 6.3

CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5

Impact

A remote attacker may inject arbitrary HTML attribute value. - CVE-2020-5574
An arbitrary script may be executed on a logged in user's web browser. - CVE-2020-5575
If a user views a malicious page while logged in, unintended operations may be performed. - CVE-2020-5576
A user who can upload files may upload arbitrary files and execute php script. - CVE-2020-5577

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
Six Apart Ltd.	Vulnerable	2020/05/13	Six Apart Ltd. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

The following researchers reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2020-5574, CVE-2020-5575, CVE-2020-5576
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc.

CVE-2020-5577
Yuji Tounai of Mitsui Bussan Secure Directions, Inc.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2020-5574
	CVE-2020-5575
	CVE-2020-5576
	CVE-2020-5577
JVN iPedia	JVNDB-2020-000030

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N	Base Score: 4.7
CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 4.3
CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	Base Score: 6.3
CVSS v2	AV:N/AC:L/Au:S/C:P/I:P/A:P	Base Score: 6.5

JVN#28806943 Multiple vulnerabilities in Movable Type