JVN#57728859: Movable Type XMLRPC API vulnerable to command injection

Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability (CWE-74).
Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.
According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.

Impact

An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.

Solution

Update the Software
Apply the appropriate update according to the information provided by the developer.
The developer has released the following updates that contain a fix for this vulnerability:

• Movable Type 7 r.5301 (Movable Type 7 Series)

• Movable Type Advanced 7 r.5301 (Movable Type Advanced 7 Series)

• Movable Type 6.8.7 (Movable Type 6 Series)

• Movable Type Advanced 6.8.7 (Movable Type Advanced 6 Series)

• Movable Type Premium 1.53

• Movable Type Premium Advanced 1.53
  Apply the workaround
  Applying workarounds may mitigate the impacts of this vulnerability.
  The developer recommends applying the following mitigation to the products.

• Disabe XMLRPC API function of Movable Type

Products Affected

• Movable Type 7 r.5202 and earlier (Movable Type 7 Series)
• Movable Type Advanced 7 r.5202 and earlier (Movable Type Advanced 7 Series)
• Movable Type 6.8.6 and earlier (Movable Type 6 Series)
• Movable Type Advanced 6.8.6 and earlier (Movable Type Advanced 6 Series)
• Movable Type Premium 1.52 and earlier
• Movable Type Premium Advanced 1.52 and earlier
  The developer states that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are affected by this vulnerability.