Server-Side Include Vulnerability in Movable Type Products
CVE-2022-43660

7.2HIGH

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type
Vendor: CVE Published:; 7 December 2022

Summary

A vulnerability exists in Movable Type products where improper handling of Server-Side Includes (SSI) can be exploited by a remote authenticated attacker. With 'Manage of Content Types' privileges, the attacker can execute arbitrary Perl scripts and OS commands, potentially compromising the integrity and confidentiality of the system. This issue primarily affects various versions of Movable Type, making it crucial for users to apply the necessary updates and patches to mitigate risks.

Affected Version(s)

Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier

References

https://movabletype.org/news/2022/11/mt-796-688-released....

https://jvn.jp/en/jp/JVN37014768/index.html

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 7, 2022
Vulnerability Reserved
Nov 15, 2022