Published:2025/02/19  Last Updated:2025/02/19

JVN#48742353
Multiple cross-site scripting vulnerabilities in Movable Type

Overview

Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities.

Products Affected

  • Movable Type
    • 8.4.1 and earlier (8.4.x series)
    • 8.0.5 and earlier (8.0.x series)
  • Movable Type Advanced
    • 8.4.1 and earlier (8.4.x series)
    • 8.0.5 and earlier (8.0.x series)
  • Movable Type Premium 2.06 and earlier (2.x series)
  • Movable Type Premium (Advanced Edition) 2.06 and earlier (2.x series)
  • Movable Type Cloud Edition 8.4.1 and earlier (8.x series)
  • Movable Type Premium Cloud Edition 2.06 and earlier (2.x series)

Description

Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.

  • Stored cross-site scripting vulnerability in the custom block edit page of MT Block Editor (CWE-79)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
    • CVE-2025-22888
  • Stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor (CWE-79)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
    • CVE-2025-24841
    • affected when TinyMCE6 is used as a rich text editor
  • Reflected cross-site scripting vulnerability in the user information edit page (CWE-79)
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
    • CVE-2025-25054
    • affected when Multi-Factor authentication plugin for Sign-in is enabled

Impact

  • An arbitrary script may be executed on a logged-in user's web browser (CVE-2025-22888, CVE-2025-24841)
  • If a user accesses a crafted page while logged in to the affected product, an arbitrary script may be executed on the web browser of the user (CVE-2025-25054)

Solution

Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain fixes for these vulnerabilities:

  • Movable Type
    • 8.4.2 (8.4.x series)
    • 8.0.6 (8.0.x series)
  • Movable Type Advanced
    • 8.4.2 (8.4.x series)
    • 8.0.6 (8.0.x series)
  • Movable Type Premium 2.07 (2.x series)
  • Movable Type Premium (Advanced Edition) 2.07 (2.x series)
  • Movable Type Cloud Edition 8.5.0 (8.x series)
  • Movable Type Premium Cloud Edition 2.07 (2.x series)
For more details, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Six Apart Ltd. Vulnerable 2025/02/19 Six Apart Ltd. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

LEE BEOMSEOK of KOIWAI DAIRY PRODUCTS CO., LTD. found and reported CVE-2025-25054 to Six Apart Ltd. directly.
Six Apart Ltd. found CVE-2025-22888 and CVE-2025-24841.
Six Apart Ltd. coordinated with JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-22888
CVE-2025-24841
CVE-2025-25054
JVN iPedia JVNDB-2025-000014