Published:2007/01/23  Last Updated:2008/05/21

JVN#32985115
Movable Type cross-site scripting vulnerability

Overview

Movable Type, a web log system from Six Apart, contains a cross-site scripting vulnerability.

This vulnerability is different from JVN#68295640.

Products Affected

  • Movable Type 3.3-ja
  • Movable Type 3.31-ja
  • Movable Type 3.32-ja
  • Movable Type 3.33-ja
For more information, refer to the vendor's website.

Description

Impact

An arbitrary script could be executed on the user's web browser or the display of a web page could be falsified. In addition, an attacker may be able to access a user's cookie allowing them to view sensitive information or hijack an authenticated user's session.

Solution

Vendor Status

Vendor Status Last Update Vendor Notes
Six Apart KK Vulnerable 2007/01/23

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.01.23

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication Limited - self-registration, perhaps valid e-mail
  • Medium-High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2007-000073

Update History