CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38972
https://notcve.org/view.php?id=CVE-2022-38972
Cross-site scripting vulnerability in Movable Type plugin A-Form versions prior to 4.1.1 (for Movable Type 7 Series) and versions prior to 3.9.1 (for Movable Type 6 Series) allows a remote unauthenticated attacker to inject an arbitrary script. Una vulnerabilidad de tipo cross-site scripting en Movable Type plugin A-Form versiones anteriores a 4.1.1 (para la serie 7 de Movable Type) y versiones anteriores a 3.9.1 (para la serie 6 de Movable Type) permite a un atacante remoto no autenticado inyectar un script arbitrario • https://jvn.jp/en/jp/JVN48120704/index.html https://www.ark-web.jp/blog/archives/2022/09/a-series-411-391.html https://www.ark-web.jp/movabletype/blog/2022/09/a-series-411-391.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2011-2676
https://notcve.org/view.php?id=CVE-2011-2676
The A-Form and A-Form bamboo before 1.3.6 and 2.x before 2.0.3, and A-Form PC and PC/Mobile before 3.1, plug-ins for Movable Type do not require administrative authentication, which allows remote authenticated users to modify data via unspecified vectors. Lo complementos A-Form y A-Form bamboo antes de v1.3.6 y v2.x antes de v2.0.3, y A-Form PC y PC/Mobile antes de v3.1 para Movable Type, no requieren autenticación administrativa, lo que permite a usuarios autenticados remotamente modificar datos a través de vectores no especificados • http://jvn.jp/en/jp/JVN34980730/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2011-000078 http://www.ark-web.jp/movabletype/a-form/docs/security_patch.html http://www.ark-web.jp/movabletype/blog/2011/09/aform_update110927.html https://exchange.xforce.ibmcloud.com/vulnerabilities/70408 • CWE-287: Improper Authentication •