Published:2020/05/13  Last Updated:2020/05/13

JVN#28806943
Multiple vulnerabilities in Movable Type

Overview

Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities.

Products Affected

  • Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7)
  • Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7)
  • Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7)
  • Movable Type 6.5.3 and earlier (Movable Type 6.5)
  • Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5)
  • Movable Type 6.3.11 and earlier (Movable Type 6.3)
  • Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3)
  • Movable Type Premium 1.29 and earlier
  • Movable Type Premium Advanced 1.29 and earlier

Description

Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below.

  • HTML attribute value injection vulnerability (CWE-74) - CVE-2020-5574
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 4.7
    CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
  • Cross-site scripting due to a flaw in processing multiple query strings (CWE-79) - CVE-2020-5575
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • Cross-site request forgery (CWE-352) - CVE-2020-5576
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • Unrestricted upload of file with specific extentions (CWE-434) - CVE-2020-5577
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Base Score: 6.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5

Impact

  • A remote attacker may inject arbitrary HTML attribute value. - CVE-2020-5574
  • An arbitrary script may be executed on a logged in user's web browser. - CVE-2020-5575
  • If a user views a malicious page while logged in, unintended operations may be performed. - CVE-2020-5576
  • A user who can upload files may upload arbitrary files and execute php script. - CVE-2020-5577

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Six Apart Ltd. Vulnerable 2020/05/13 Six Apart Ltd. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

The following researchers reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2020-5574, CVE-2020-5575, CVE-2020-5576
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc.

CVE-2020-5577
Yuji Tounai of Mitsui Bussan Secure Directions, Inc.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5574
CVE-2020-5575
CVE-2020-5576
CVE-2020-5577
JVN iPedia JVNDB-2020-000030