CVE-2013-0209

Name of the Vulnerable Software and Affected Versions Movable Type versions 4.2x through 4.38

Description The issue affects the confidentiality, integrity, and availability of protected information. It can be exploited remotely. Specifically, in Movable Type, the lib/MT/Upgrade.pm file in mt-upgrade.cgi does not require authentication for requests to database-migration functions. This allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, such as an eval injection attack against the core drop meta for table function. This can lead to the execution of arbitrary Perl code.

Recommendations For Movable Type versions 4.2x through 4.38, consider restricting access to the mt-upgrade.cgi script until a patch is available. As a temporary workaround, ensure that authentication is required for all requests to database-migration functions to prevent unauthorized access.