Sixapart Movable Type vulnerabilities
41 known vulnerabilities affecting sixapart/movable_type.
Total CVEs
41
CISA KEV
0
Public exploits
4
Exploited in wild
1
Severity breakdown
CRITICAL6HIGH9MEDIUM25LOW1
Vulnerabilities
Page 1 of 3
CVE-2021-20837P1CRITICALCVSS 9.8ExploitedPoC≤ 1.46≥ 4.0, ≤ 6.3.11+2 more2021-10-26
CVE-2021-20837 [CRITICAL] CWE-78 CVE-2021-20837: Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable T
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and ea
nvd
CVE-2015-1592P2HIGHCVSS 7.5PoC≥ 5.2.0, < 5.2.12≥ 6.0, < 6.0.72015-02-19
CVE-2015-1592 [HIGH] CWE-74 CVE-2015-1592: Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 do
Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors.
nvd
CVE-2013-0209P2HIGHCVSS 7.5PoCv4.21v4.22+19 more2013-01-23
CVE-2013-0209 [HIGH] CWE-287 CVE-2013-0209: lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require auth
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, l
nvd
CVE-2022-38078P2CRITICALCVSS 9.8fixed in 1.53≥ 6.0.0, < 6.8.7+1 more2022-08-24
CVE-2022-38078 [CRITICAL] CWE-94 CVE-2022-38078: Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sendi
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earli
nvd
CVE-2026-25776P2CRITICALCVSS 9.3≤ 2.14v9.0.5+5 more2026-04-08
CVE-2026-25776 [CRITICAL] CWE-94 CVE-2026-25776: Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an a
Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.
nvd
CVE-2016-5742P3CRITICALCVSS 9.8v6.0v6.0.1+13 more2017-01-23
CVE-2016-5742 [CRITICAL] CWE-89 CVE-2016-5742: SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1
SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before 6.2.6 and Movable Type Open Source 5.2.13 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2026-33088P3CRITICALCVSS 9.8≥ 8.0.2, < 8.0.10≥ 8.8.0, < 8.8.3+5 more2026-04-08
CVE-2026-33088 [CRITICAL] CWE-89 CVE-2026-33088: Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an a
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.
nvd
CVE-2020-5577P3HIGHCVSS 8.8≤ 1.29≥ 6.3, ≤ 6.3.11+2 more2020-05-14
CVE-2020-5577 [HIGH] CWE-434 CVE-2020-5577: Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanc
Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5),
nvd
CVE-2013-2184P3HIGHCVSS 7.5≤ 5.2.52015-03-27
CVE-2013-2184 [HIGH] CWE-17 CVE-2013-2184: Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote att
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.
nvd
CVE-2014-9057P3HIGHCVSS 7.5≤ 5.17v5.2+15 more2014-12-16
CVE-2014-9057 [HIGH] CWE-89 CVE-2014-9057: SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.1
SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2022-43660P3HIGHCVSS 7.2≤ 1.53≥ 7.0, < 7.9.62022-12-07
CVE-2022-43660 [HIGH] CWE-94 CVE-2022-43660: Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allow
Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an arbitrary Perl script and/or an arbitrary OS command. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movab
nvd
CVE-2012-1503P4MEDIUMCVSS 4.3PoCv5.132014-08-29
CVE-2012-1503 [MEDIUM] CWE-79 CVE-2012-1503: Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.
nvd
CVE-2020-5576P3HIGHCVSS 8.8≤ 1.29≥ 6.3, ≤ 6.3.11+2 more2020-05-14
CVE-2020-5576 [HIGH] CWE-352 CVE-2020-5576: Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1
Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advan
nvd
CVE-2012-0320P3HIGHCVSS 7.5≤ 4.37v4.28+33 more2012-03-03
CVE-2012-0320 [HIGH] CVE-2012-0320: Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take con
Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via unspecified vectors related to the (1) commenting feature and (2) community script.
nvd
CVE-2011-5085P3HIGHCVSS 7.5v4.0v4.01+25 more2012-04-02
CVE-2011-5085 [HIGH] CVE-2011-5085: Unspecified vulnerability in Movable Type 4.x before 4.36 and 5.x before 5.05 allows remote attacker
Unspecified vulnerability in Movable Type 4.x before 4.36 and 5.x before 5.05 allows remote attackers to read or modify data via unknown vectors.
nvd
CVE-2022-45113P3MEDIUMCVSS 6.5≤ 1.53≥ 6.0, < 6.8.7+1 more2022-12-07
CVE-2022-45113 [MEDIUM] CWE-20 CVE-2022-45113: Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Ha
Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Having a user to access a specially crafted URL may allow a remote unauthenticated attacker to set a specially crafted URL to the Reset Password page and conduct a phishing attack. Affected products/versions are as follows: Movable Type 7 r.5301 and earl
nvd
CVE-2009-0752P4CRITICALCVSS 10.0v4.0v4.01+5 more2009-03-03
CVE-2009-0752 [CRITICAL] CVE-2009-0752: Unspecified vulnerability in Movable Type Pro and Community Solution 4.x before 4.24 has unknown imp
Unspecified vulnerability in Movable Type Pro and Community Solution 4.x before 4.24 has unknown impact and attack vectors, possibly related to the password recovery mechanism.
nvd
CVE-2020-5574P4MEDIUMCVSS 5.3≤ 1.29≥ 6.3, ≤ 6.3.11+2 more2020-05-14
CVE-2020-5574 [MEDIUM] CWE-74 CVE-2020-5574: HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) a
HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advance
nvd
CVE-2012-0317P4MEDIUMCVSS 6.8≤ 4.37v4.28+33 more2012-03-03
CVE-2012-0317 [MEDIUM] CWE-352 CVE-2012-0317: Multiple cross-site request forgery (CSRF) vulnerabilities in Movable Type before 4.38, 5.0x before
Multiple cross-site request forgery (CSRF) vulnerabilities in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow remote attackers to hijack the authentication of arbitrary users for requests that modify data via the (1) commenting feature or (2) community script.
nvd
CVE-2022-45122P4MEDIUMCVSS 6.1≤ 1.53≥ 6.0, < 6.8.7+1 more2022-12-07
CVE-2022-45122 [MEDIUM] CWE-79 CVE-2022-45122: Cross-site scripting vulnerability in Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7
Cross-site scripting vulnerability in Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earli
nvd
1 / 3Next →