PT-2015-3545 · Six Apart · Movable Type
John Lightsey
·
Published
2015-03-12
·
Updated
2015-03-27
·
CVE-2013-2184
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Movable Type versions prior to 5.2.6
Description
The issue arises from the incorrect usage of the Storable::thaw function, allowing remote attackers to execute arbitrary code through the
comment state parameter. This enables attackers to potentially gain control over the system.Recommendations
For versions prior to 5.2.6, update to version 5.2.6 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
comment state parameter until a patch is available.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Movable Type