CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
60.9%
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability (CWE-74).
Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.
According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.
An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.
Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:
Movable Type 7 r.5301 (Movable Type 7 Series)
Movable Type Advanced 7 r.5301 (Movable Type Advanced 7 Series)
Movable Type 6.8.7 (Movable Type 6 Series)
Movable Type Advanced 6.8.7 (Movable Type Advanced 6 Series)
Movable Type Premium 1.53
Movable Type Premium Advanced 1.53
Apply the workaround
Applying workarounds may mitigate the impacts of this vulnerability.
The developer recommends applying the following mitigation to the products.
Disabe XMLRPC API function of Movable Type