Published:2010/12/08 Last Updated:2010/12/08
JVN#78536512
Movable Type vulnerable to SQL injection
Critical
Overview
Movable Type contains SQL injection vulnerability.
Products Affected
- Movable Type Open Source 5.031 and earlier
- Movable Type 5.031 (includes Professional and Community Packs) and earlier
- Movable Type Advanced 5.031 and earlier
Description
Movable Type, a web log system from Six Apart KK, contains a SQL injection vulnerability.
Impact
A remote attacker may view or modify information stored by the product.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Six Apart KK | Movable Type 5.04 and 4.35 Release Notes |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2010.12.08 Critical
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | the user must be convinced to take a difficult or suspicious action. If the honest user must have elevated privileges, they are likely to be more suspiciouse |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2010-3922 |
| JVN iPedia |
JVNDB-2010-000061 |
Update History
- 2010/12/08
- Information under the sections "References" were modified.