CVE-2022-43660

Published: Dec 7, 2022Modified: Apr 23, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an arbitrary Perl script and/or an arbitrary OS command. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier.

Affected (4)

Products: Sixapart: Movable Type

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Sixapart Movable Type	From 7.0 to 7.9.6
Sixapart Movable Type	From 7.0 to 7.9.6
Sixapart Movable Type	Up to 1.53
Sixapart Movable Type	Up to 1.53

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://jvn.jp/en/jp/JVN37014768/index.html

Source: vultures@jpcert.or.jp

Third Party Advisory

https://movabletype.org/news/2022/11/mt-796-688-released.html

Source: vultures@jpcert.or.jp

Release NotesVendor Advisory

https://jvn.jp/en/jp/JVN37014768/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://movabletype.org/news/2022/11/mt-796-688-released.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.