Multiple vulnerabilities have been discovered in Movable Type, a
blogging system. The Common Vulnerabilities and Exposures project
identifies the following problems:
- CVE-2013-2184
Unsafe use of Storable::thaw in the handling of comments to blog
posts could allow remote attackers to include and execute arbitrary
local Perl files or possibly remotely execute arbitrary code.
- CVE-2014-9057
Netanel Rubin from Check Point Software Technologies discovered a
SQL injection vulnerability in the XML-RPC interface allowing
remote attackers to execute arbitrary SQL commands.
- CVE-2015-1592
The Perl Storable::thaw function is not properly used, allowing
remote attackers to include and execute arbitrary local Perl files
and possibly remotely execute arbitrary code.
For the stable distribution (wheezy), these problems have been fixed in
version 5.1.4+dfsg-4+deb7u2.
We recommend that you upgrade your movabletype-opensource packages.