Command Injection Vulnerability in Movable Type by Six Apart Ltd.
CVE-2022-38078

9.8CRITICAL

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type Xmlrpc Api
Vendor: CVE Published:; 24 August 2022

🔔 Create Six Apart Ltd. Vulnerability Alert

What is CVE-2022-38078?

The XMLRPC API of Movable Type, developed by Six Apart Ltd., is susceptible to a command injection vulnerability. An attacker can exploit this flaw by sending a specifically crafted POST request, potentially leading to the execution of arbitrary Perl scripts or arbitrary OS commands. This vulnerability affects multiple versions of the Movable Type platform, including versions prior to 7 r.5202, 6.8.6, and 1.52 for both Premium and Advanced offerings. Notably, it also impacts all versions from 4.0 onwards, including those that have reached End-of-Life.

Affected Version(s)

Movable Type XMLRPC API Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier

References

https://movabletype.org/news/2022/08/mt-795-687-released....

x_refsource_MISC

https://jvn.jp/en/jp/JVN57728859/index.html

x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 24, 2022
Vulnerability Reserved
Aug 22, 2022

JSON