CVE-2022-43660

Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an arbitrary Perl script and/or an arbitrary OS command. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium:*:*:*
cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium_advanced:*:*:*
cpe:2.3:a:sixapart:movable_type:*:*:*:*:-:*:*:*
cpe:2.3:a:sixapart:movable_type:*:*:*:*:advanced:*:*:*

History

21 Nov 2024, 07:26

Type Values Removed Values Added
Summary
  • (es) La neutralización incorrecta de Server-Side Includes (SSW) dentro de una página web de la serie Movable Type permite que un atacante remoto autenticado con el privilegio de 'Administrar tipos de contenido' pueda ejecutar un script Perl arbitrario y/o un comando del sistema operativo arbitrario. Los productos/versiones afectados son los siguientes: Movable Type 7 r.5301 y anteriores (Serie Movable Type 7), Movable Type Advanced 7 r.5301 y anteriores (Serie Movable Type Advanced 7), Movable Type Premium 1.53 y anteriores, y Movable Type Premium Avanzado 1.53 y anteriores.
References () https://jvn.jp/en/jp/JVN37014768/index.html - Third Party Advisory () https://jvn.jp/en/jp/JVN37014768/index.html - Third Party Advisory
References () https://movabletype.org/news/2022/11/mt-796-688-released.html - Release Notes, Vendor Advisory () https://movabletype.org/news/2022/11/mt-796-688-released.html - Release Notes, Vendor Advisory

Information

Published : 2022-12-07 04:15

Updated : 2025-04-23 14:15


NVD link : CVE-2022-43660

Mitre link : CVE-2022-43660

CVE.ORG link : CVE-2022-43660


JSON object : View

Products Affected

sixapart

  • movable_type
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')