Not a developer? Go to

February 2012

February 21, 2012

Movable Type 5.13, 5.07, and 4.38 Security Updates

By Jun Kaneko and posted in News.

Movable Type 5.13, 5.07, and 4.38 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. The vulnerabilities were found as a result of our internal security audit, except the one reported from Trustwave (TWSL2012-003). All users must upgrade to this latest release immediately. Impact 5.13, 5.07, and 4.38 address the multiple vulnerabilities including: OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files. Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim’s browser under the certain circumstances. XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users. XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (TWSL2012-003) Solution Please upgrade to the latest versions of Movable Type 4 or Movable Type 5. Movable Type Open Source 4.38 Movable Type Open Source…

Read More

Movable Type News