Daiji Hirata

**Name of the Vulnerable Software and Affected Versions** Movable Type versions 4.0 and later Movable Type versions 7 r.5202 and earlier Movable Type Advanced versions 7 r.5202 and earlier Movable Type versions 6.8.6 and earlier Movable Type Advanced versions 6.8.6 and earlier Movable Type Premium versions 1.52 and earlier Movable Type Premium Advanced versions 1.52 and earlier **Description** The Movable Type XMLRPC API contains a command injection vulnerability related to errors in processing input data. Exploitation of this issue may allow a remote attacker to execute arbitrary commands. Sending a specially crafted message by POST method to the Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. **Recommendations** For Movable Type versions 7 r.5202 and earlier, update to a version later than 7 r.5202. For Movable Type Advanced versions 7 r.5202 and earlier, update to a version later than 7 r.5202. For Movable Type versions 6.8.6 and earlier, update to a version later than 6.8.6. For Movable Type Advanced versions 6.8.6 and earlier, update to a version later than 6.8.6. For Movable Type Premium versions 1.52 and earlier, update to a version later than 1.52. For Movable Type Premium Advanced versions 1.52 and earlier, update to a version later than 1.52. As a temporary workaround, consider restricting access to the Movable Type XMLRPC API until a patch is available.

Name of the Vulnerable Software and Affected Versions: Movable Type versions 7 r.5002 and earlier Movable Type versions 6.8.2 and earlier Movable Type Advanced versions 7 r.5002 and earlier Movable Type Advanced versions 6.8.2 and earlier Movable Type Premium version 1.46 and earlier Movable Type Premium Advanced version 1.46 and earlier Movable Type versions 4.0 and later Description: The issue allows remote attackers to execute arbitrary OS commands via unspecified vectors. All versions of Movable Type 4.0 or later, including unsupported versions, are affected. Recommendations: For Movable Type versions 7 r.5002 and earlier, update to a version later than r.5002. For Movable Type versions 6.8.2 and earlier, update to a version later than 6.8.2. For Movable Type Advanced versions 7 r.5002 and earlier, update to a version later than r.5002. For Movable Type Advanced versions 6.8.2 and earlier, update to a version later than 6.8.2. For Movable Type Premium version 1.46 and earlier, update to a version later than 1.46. For Movable Type Premium Advanced version 1.46 and earlier, update to a version later than 1.46. For Movable Type versions 4.0 and later, ensure you are running the latest supported version.