Movable Type Multiple Remote Vulnerabilities

Bugtraq ID:	52138
Class:	Unknown
CVE:	CVE-2012-0317 CVE-2012-0318 CVE-2012-0319 CVE-2012-0320 CVE-2012-1262
Remote:	Yes
Local:	No
Published:	Feb 23 2012 12:00AM
Updated:	Feb 24 2012 11:50PM
Credit:	Trustwave and Movable Type
Vulnerable:	Movable Type Movable Type 5.12 Movable Type Movable Type 5.11 Movable Type Movable Type 5.06 Movable Type Movable Type 5.051 Movable Type Movable Type 5.05 Movable Type Movable Type 5.04 Movable Type Movable Type 5.03 Movable Type Movable Type 5.02 Movable Type Movable Type 5.01 Movable Type Movable Type 5.0 Movable Type Movable Type 4.37 Movable Type Movable Type 4.361 Movable Type Movable Type 4.36 Movable Type Movable Type 4.35 Movable Type Movable Type 4.34 Movable Type Movable Type 4.27 Movable Type Movable Type 4.261 Movable Type Movable Type 4.26 Movable Type Movable Type 4.25 Movable Type Movable Type 4.24 Movable Type Movable Type 4.23 Movable Type Movable Type 4.22 Movable Type Movable Type 4.21 Movable Type Movable Type 4.13 Movable Type Movable Type 4.01 Movable Type Movable Type 4
Not Vulnerable:	Movable Type Movable Type 5.13 Movable Type Movable Type 5.07 Movable Type Movable Type 4.38

Movable Type Multiple Remote Vulnerabilities

Movable Type is prone to multiple remote vulnerabilities, including:

1. Multiple cross-site scripting vulnerabilities
2. A cross-site request forgery vulnerability
3. A session-hijacking vulnerability
4. A remote command-execution vulnerability

An attacker can exploit these vulnerabilities to execute arbitrary script code and commands in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, hijack a user's session, disclose or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.

Movable Type Multiple Remote Vulnerabilities

An attacker can exploit some of these issues through a browser. To exploit the cross-site scripting and cross-site request forgery vulnerability, an attacker must entice an unsuspecting victim to follow a malicious URI.

Movable Type Multiple Remote Vulnerabilities

Solution:
Updates are available. Please see the references for more details.

Movable Type Multiple Remote Vulnerabilities

References:

• Cross-Site Scripting Vulnerability in Movable Type Publishing Platform (Trustwave)
  
• Movable Type 5.13, 5.07, and 4.38 Release Notes (Movable Type)
  
• Movable Type Homepage (Movable Type)