HTML Attribute Value Injection Vulnerability in Movable Type by Six Apart
CVE-2020-5574

5.3MEDIUM

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type
Vendor: CVE Published:; 14 May 2020

Summary

A vulnerability in the Movable Type product line allows remote attackers to exploit an HTML attribute value injection weakness. This flaw could lead to unauthorized manipulation of HTML attributes via unspecified methods, potentially allowing malicious content to be injected. It affects various versions of Movable Type and its advanced iterations, including cloud deployments. Users are urged to update to the latest versions to mitigate this security risk.

Affected Version(s)

Movable Type Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier

References

https://movabletype.org/news/2020/05/mt-730-660-6312-rele...

x_refsource_MISC

https://jvn.jp/en/jp/JVN28806943/index.html

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2020
Vulnerability Reserved
Jan 6, 2020