Lucene search

JpcertCVE-2022-45113

HistoryDec 07, 2022 - 4:15 a.m.

CVE-2022-45113

2022-12-0704:15:11

CWE-20

jpcert

web.nvd.nist.gov

cve-2022-45113

movable type

vulnerability

remote attacker

phishing attack

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

51.3%

JSON

Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Having a user to access a specially crafted URL may allow a remote unauthenticated attacker to set a specially crafted URL to the Reset Password page and conduct a phishing attack. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier.

Affected configurations

Nvd

Node

sixapartmovable_typeRange≤1.53premium

sixapartmovable_typeRange≤1.53premium_advanced

sixapartmovable_typeRange6.0–6.8.7-

sixapartmovable_typeRange6.0–6.8.7advanced

sixapartmovable_typeRange7.0–7.9.6-

sixapartmovable_typeRange7.0–7.9.6advanced

VendorProductVersionCPE
sixapartmovable_type*cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium:*:*:*
sixapartmovable_type*cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium_advanced:*:*:*
sixapartmovable_type*cpe:2.3:a:sixapart:movable_type:*:*:*:*:-:*:*:*
sixapartmovable_type*cpe:2.3:a:sixapart:movable_type:*:*:*:*:advanced:*:*:*

Vendor	Product	Version	CPE
sixapart	movable_type	*	cpe:2.3:a:sixapart:movable_type:::::premium:::*
sixapart	movable_type	*	cpe:2.3:a:sixapart:movable_type:::::premium_advanced:::*
sixapart	movable_type	*	cpe:2.3:a:sixapart:movable_type:::::-:::*
sixapart	movable_type	*	cpe:2.3:a:sixapart:movable_type:::::advanced:::*

CNA Affected

[
  {
    "vendor": "Six Apart Ltd.",
    "product": "Movable Type",
    "versions": [
      {
        "version": "Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier",
        "status": "affected"
      }
    ]
  }
]

References

jvn.jp/en/jp/JVN37014768/index.html

movabletype.org/news/2022/11/mt-796-688-released.html

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

51.3%

JSON

Related for CVE-2022-45113