PT-2022-26995 · Unknown · Movable Type Premium Advanced+3
Published
2022-12-07
·
Updated
2025-04-23
·
CVE-2022-43660
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Movable Type versions 7 r.5301 and earlier
Movable Type Advanced versions 7 r.5301 and earlier
Movable Type Premium version 1.53 and earlier
Movable Type Premium Advanced version 1.53 and earlier
Description
The issue is related to the improper neutralization of Server-Side Includes (SSI) within a web page in the Movable Type series. This allows a remote authenticated attacker with the privilege of 'Manage of Content Types' to execute an arbitrary Perl script and/or an arbitrary OS command.
Recommendations
For Movable Type versions 7 r.5301 and earlier, update to a version later than 7 r.5301.
For Movable Type Advanced versions 7 r.5301 and earlier, update to a version later than 7 r.5301.
For Movable Type Premium version 1.53 and earlier, update to a version later than 1.53.
For Movable Type Premium Advanced version 1.53 and earlier, update to a version later than 1.53.
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Movable Type
Movable Type Advanced
Movable Type Premium
Movable Type Premium Advanced