Movable Type Unspecified Cross-Site Scripting Vulnerability

Bugtraq ID:	22292
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 29 2007 12:00AM
Updated:	Jul 05 2007 09:17PM
Credit:	The vendor disclosed this issue.
Vulnerable:	Movable Type Movable Type 3.17 Movable Type Movable Type 3.16 Movable Type Movable Type 3.2 Movable Type Movable Type 2.63 Movable Type Movable Type 2.0 Movable Type Movable Type 3.33 Movable Type Movable Type 3.32 Movable Type Movable Type 3.31 Movable Type Movable Type 3.3
Not Vulnerable:	Movable Type Movable Type 3.34

Movable Type Unspecified Cross-Site Scripting Vulnerability

Movable Type is prone to an unspecified cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied data.

Exploiting this issue may help the attacker steal cookie-based authentication credentials and launch other attacks.

Versions prior to 3.34 are affected by this issue.

Movable Type Unspecified Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

Movable Type Unspecified Cross-Site Scripting Vulnerability

Solution:
The vendor has released Movable Type 3.34 to address this issue. Please contact the vendor for information on how to obtain the new version.

Movable Type Unspecified Cross-Site Scripting Vulnerability

References:

• Movable Type Home Page (Six Apart)
  
• Six Apart, Ltd. Release Notes - Movable Type: 3.34 (Six Apart)