Input Validation Flaw in Movable Type by Six Apart
CVE-2022-45113

6.5MEDIUM

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type
Vendor: CVE Published:; 7 December 2022

Summary

An improper validation of the syntactic correctness of input vulnerability exists in the Movable Type series. This flaw allows a remote unauthenticated attacker to manipulate the Reset Password page by crafting specific URLs. By exploiting this vulnerability, attackers could potentially conduct phishing attacks, leading users to malicious sites under the guise of the legitimate authentication process. Users of affected versions are encouraged to update their Movable Type installations to mitigate the risk associated with this vulnerability.

Affected Version(s)

Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier

References

https://movabletype.org/news/2022/11/mt-796-688-released....

https://jvn.jp/en/jp/JVN37014768/index.html

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 7, 2022
Vulnerability Reserved
Nov 15, 2022