Stored Cross-Site Scripting Vulnerability in Movable Type by Six Apart
CVE-2025-24841
5.4MEDIUM
Key Information:
- Vendor
- Six Apart Ltd.
- Status
- Movable Type (8.4.x Series)
- Movable Type (8.0.x Series)
- Movable Type Advanced (8.4.x Series)
- Movable Type Advanced (8.0.x Series)
- Vendor
- CVE Published:
- 19 February 2025
Summary
Movable Type has a stored cross-site scripting vulnerability in the HTML edit mode of the MT Block Editor. This vulnerability can be exploited specifically when the TinyMCE6 rich text editor is utilized, allowing an attacker to execute arbitrary scripts in the web browser of a logged-in user. This can lead to unauthorized actions or data exposure, making it critical for users of affected versions to promptly address this vulnerability.
Affected Version(s)
Movable Type (8.0.x series) 8.0.5 and earlier
Movable Type (8.4.x series) 8.4.1 and earlier
Movable Type Advanced (8.0.x series) 8.0.5 and earlier
References
CVSS V3.0
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved