Movable Type 6.3.12 Release Notes

This version of Movable Type was released May 13, 2020.

Movable Type 6.3.12 Release Note.

Movable Type 6.3.12 includes several security fixes.

Resolved Issues

Security Fixes and Improvements

• [MTC-27147] Fix XSS in __mode=rebuild. (CVE-2020-5575)
• [MTC-27146] Fix CSRF in _mode=startrebuild. (CVE-2020-5576)
• [MTC-27144] Fix XSS in template list. (CVE-2020-5575)
• [MTC-27143] Fix CSRF via Sign-In page. (CVE-2020-5576)
• [MTC-27142] Fix not to upload a double extension PHP file. (CVE-2020-5577)
• [MTC-27141] Fix an open redirect issue in __mode=recover. (CVE-2020-5574)
• [MTC-27140] Fix XSS in _mode=startrebuild. (CVE-2020-5575)

Acknowledgements

Many bug fixes and patch offerings reported by the Movable Type community are included in this release. The names of community members who provided patches and bug reports through Jira are as follows. I appreciate your cooperation! (In no particular order, titles omitted)

• Toshitsugu Yoneyama / Mitsui Bussan Secure Directions, Inc., IPA, JPCERT/CC, - MTC-27147、MTC-27146、MTC-27144、MTC-27143、MTC-27141、MTC-27140
• Yuji Tounai / Mitsui Bussan Secure Directions, Inc., IPA, JPCERT/CC, - MTC-27142
• Lift - MTC-27141