CVE-2021-20664

EUVD-2021-8082

05.03.2021, 10:15

Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 56%

Affected Products (NVD)

Vendor	Product	Version
movabletype	movable_type	𝑥 ≤ 6.7.5
movabletype	movable_type	7.0000 ≤ 𝑥 ≤ 7.4705
movabletype	movable_type_advanced	𝑥 ≤ 7.4705
movabletype	movable_type_premium	𝑥 ≤ 1.39
movabletype	movable_type_premium_advanced	𝑥 ≤ 1.39

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://jvn.jp/en/jp/JVN66542874/index.html

https://movabletype.org/news/2021/02/mt-760-676-released.html

https://jvn.jp/en/jp/JVN66542874/index.html

https://movabletype.org/news/2021/02/mt-760-676-released.html