CVE-2022-38078

Name of the Vulnerable Software and Affected Versions Movable Type versions 4.0 and later Movable Type versions 7 r.5202 and earlier Movable Type Advanced versions 7 r.5202 and earlier Movable Type versions 6.8.6 and earlier Movable Type Advanced versions 6.8.6 and earlier Movable Type Premium versions 1.52 and earlier Movable Type Premium Advanced versions 1.52 and earlier

Description The Movable Type XMLRPC API contains a command injection vulnerability related to errors in processing input data. Exploitation of this issue may allow a remote attacker to execute arbitrary commands. Sending a specially crafted message by POST method to the Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.

Recommendations For Movable Type versions 7 r.5202 and earlier, update to a version later than 7 r.5202. For Movable Type Advanced versions 7 r.5202 and earlier, update to a version later than 7 r.5202. For Movable Type versions 6.8.6 and earlier, update to a version later than 6.8.6. For Movable Type Advanced versions 6.8.6 and earlier, update to a version later than 6.8.6. For Movable Type Premium versions 1.52 and earlier, update to a version later than 1.52. For Movable Type Premium Advanced versions 1.52 and earlier, update to a version later than 1.52. As a temporary workaround, consider restricting access to the Movable Type XMLRPC API until a patch is available.