Lucene search

K
jvnJapan Vulnerability NotesJVN:66542874
HistoryFeb 24, 2021 - 12:00 a.m.

JVN#66542874: Multiple cross-site scripting vulnerabilities in Movable Type

2021-02-2400:00:00
Japan Vulnerability Notes
jvn.jp
216

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

47.1%

Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.

Cross-site scripting vulnerability in Role authority setting screen (CWE-79) - CVE-2021-20663

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Cross-site scripting vulnerability in Asset registration screen (CWE-79) - CVE-2021-20664

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Cross-site scripting vulnerability in Add asset screen of Contents field (CWE-79) - CVE-2021-20665

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Impact

An arbitrary script may be executed on a logged-in user’s web browser.

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Products Affected

CVE-2021-20663, CVE-2021-20664

  • Movable Type 7 r.4705 and earlier (Movable Type 7 Series)

  • Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series)

  • Movable Type 6.7.5 and earlier (Movable Type 6.7 Series)

  • Movable Type Premium 1.39 and earlier

  • Movable Type Premium Advanced 1.39 and earlier
    CVE-2021-20665

  • Movable Type 7 r.4705 and earlier (Movable Type 7 Series)

  • Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series)

  • Movable Type Premium 1.39 and earlier

  • Movable Type Premium Advanced 1.39 and earlier

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

47.1%

Related for JVN:66542874