CVE-2008-5845

Name of the Vulnerable Software and Affected Versions Movable Type versions prior to 4.23

Description The issue allows remote attackers to inject arbitrary web script or HTML via various fields, including MTEntryAuthorUsername, MTAuthorDisplayName, MTEntryAuthorDisplayName, or MTCommenterName in a Profile View template, listing or edit screens in the CMS app, TrackBack titles, or user archive names on published Community Blog templates. This is related to the HTML sanitization library.

Recommendations For versions prior to 4.23, update to version 4.23 or later to resolve the issue. As a temporary workaround, consider restricting user input in the mentioned fields to minimize the risk of exploitation. Avoid using the MTEntryAuthorUsername, MTAuthorDisplayName, MTEntryAuthorDisplayName, and MTCommenterName fields in Profile View templates, and limit access to listing and edit screens in the CMS app until the issue is resolved.