4 results (0.012 seconds)

CVSS: 4.3EPSS: 0%CPEs: 120EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow remote attackers to inject arbitrary web script or HTML via vectors involving templates, a different issue than CVE-2012-1262. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Movable Type anteriores a 4.38, 5.0x anteriores 5.07, y 5.1x anteriores a 5.13 permiten a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de vectores relacionados con plantillas ("templates"), una vulnerabilidad distinta a la CVE-2012-1262. • http://jvn.jp/en/jp/JVN49836527/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2012-000016 http://www.debian.org/security/2012/dsa-2423 http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html http://www.movabletype.org/documentation/appendices/release-notes/513.html http://www.securityfocus.com/bid/52138 http://www.securitytracker.com/id?1026738 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.0EPSS: 0%CPEs: 120EXPL: 0

The default configuration of Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 supports the "mt:Include file=" attribute, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files by leveraging the template-designer role. La configuración por defecto de Movable Type anteriores a 4.38, 5.0x y 5.07, y 5.1x anteriores 5.13 soporta el atributo "mt:Include file=", lo que permite a usuarios autenticados remotos realizar ataques de salto de directorio y leer archivos arbitrarios utilizando el perfil "template-designer". • http://www.debian.org/security/2012/dsa-2423 http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html http://www.movabletype.org/documentation/appendices/release-notes/513.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.5EPSS: 0%CPEs: 120EXPL: 0

The file-management system in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote authenticated users to execute arbitrary commands by leveraging the file-upload feature, related to an "OS Command Injection" issue. El sistema de gestión de archivos de Movable Type anteriores a 4.38, 5.0x anteriores a 5.07, y 5.1x anteriores a 5.13 permite a usuarios autenticados remotos ejecutar comandos arbitrarios utilizando la funcionalidad de subida de archivos, relacionado con una "inyección de comandos en el SO". • http://jvn.jp/en/jp/JVN92683325/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2012-000017 http://www.debian.org/security/2012/dsa-2423 http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html http://www.movabletype.org/documentation/appendices/release-notes/513.html http://www.securityfocus.com/bid/52138 http://www.securitytracker.com/id?1026738 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 4.3EPSS: 0%CPEs: 120EXPL: 1

Cross-site scripting (XSS) vulnerability in cgi-bin/mt/mt-wizard.cgi in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the dbuser parameter, a different vulnerability than CVE-2012-0318. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en cgi-bin/mt/mt-wizard.cgi de Movable Type anteriores a 4.38, 5.0x anteriores a 5.07, y 5.1x anteriores a 5.13, si el producto es instalado de manera incompleta, permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través del parámetro dbuser, una vulnerabilidad distinta a la CVE-2012-0318. Movable Type Publishing Platform versions prior to 5.13, 5.07, and 4.38 are affected by a cross site scripting vulnerability. After extracting the Moveable Type CGI files and source files on to a web server, but before the application is fully installed, cross site scripting vulnerabilities are present in the '/cgi-bin/mt/mt-wizard.cgi' page. • http://jvn.jp/en/jp/JVN49836527/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2012-000016 http://osvdb.org/79470 http://packetstormsecurity.org/files/110203/Movable-Type-Publishing-Platform-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2012/Feb/407 http://www.debian.org/security/2012/dsa-2423 http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html http://www.movabletype.org/documentation/appendices/release-notes/513.html http://www.security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •