CVE-2012-0319
https://notcve.org/view.php?id=CVE-2012-0319
The file-management system in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote authenticated users to execute arbitrary commands by leveraging the file-upload feature, related to an "OS Command Injection" issue. El sistema de gestión de archivos de Movable Type anteriores a 4.38, 5.0x anteriores a 5.07, y 5.1x anteriores a 5.13 permite a usuarios autenticados remotos ejecutar comandos arbitrarios utilizando la funcionalidad de subida de archivos, relacionado con una "inyección de comandos en el SO". • http://jvn.jp/en/jp/JVN92683325/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2012-000017 http://www.debian.org/security/2012/dsa-2423 http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html http://www.movabletype.org/documentation/appendices/release-notes/513.html http://www.securityfocus.com/bid/52138 http://www.securitytracker.com/id?1026738 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2012-1262 – Movable Type Publishing Platform Cross Site Scripting
https://notcve.org/view.php?id=CVE-2012-1262
Cross-site scripting (XSS) vulnerability in cgi-bin/mt/mt-wizard.cgi in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the dbuser parameter, a different vulnerability than CVE-2012-0318. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en cgi-bin/mt/mt-wizard.cgi de Movable Type anteriores a 4.38, 5.0x anteriores a 5.07, y 5.1x anteriores a 5.13, si el producto es instalado de manera incompleta, permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través del parámetro dbuser, una vulnerabilidad distinta a la CVE-2012-0318. Movable Type Publishing Platform versions prior to 5.13, 5.07, and 4.38 are affected by a cross site scripting vulnerability. After extracting the Moveable Type CGI files and source files on to a web server, but before the application is fully installed, cross site scripting vulnerabilities are present in the '/cgi-bin/mt/mt-wizard.cgi' page. • http://jvn.jp/en/jp/JVN49836527/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2012-000016 http://osvdb.org/79470 http://packetstormsecurity.org/files/110203/Movable-Type-Publishing-Platform-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2012/Feb/407 http://www.debian.org/security/2012/dsa-2423 http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html http://www.movabletype.org/documentation/appendices/release-notes/513.html http://www.security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-2480
https://notcve.org/view.php?id=CVE-2009-2480
Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart Movable Type 4.24, and 4.25 when global templates are not initialized, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados - XSS - en mt-wizard.cgi en Six Apart Movable Type v4.24, y v4.25, cuando plantillas globales no son inicializadas, permite atacantes remotos inyectar arbitrariamente una secuencia de comandos web o HTML a través de vectores no especificados. • http://jvn.jp/en/jp/JVN97248625/index.html http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000020.html http://secunia.com/advisories/35534 http://www.movabletype.org/documentation/appendices/release-notes/426.html http://www.securityfocus.com/bid/35471 http://www.vupen.com/english/advisories/2009/1668 https://exchange.xforce.ibmcloud.com/vulnerabilities/51329 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •