Vulnerabilites related to Six Apart, Ltd. - Movable Type Advanced
jvndb-2021-000017
Vulnerability from jvndb
Published
2021-02-24 15:20
Modified
2021-02-24 15:20
Severity ?
Summary
Multiple cross-site scripting vulnerabilities in Movable Type
Details
Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.
*Cross-site scripting vulnerability in Role authority setting screen (CWE-79) - CVE-2021-20663
*Cross-site scripting vulnerability in Asset registration screen (CWE-79) - CVE-2021-20664
*Cross-site scripting vulnerability in Add asset screen of Contents field (CWE-79) - CVE-2021-20665
Six Apart Ltd. reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000017.html",
"dc:date": "2021-02-24T15:20+09:00",
"dcterms:issued": "2021-02-24T15:20+09:00",
"dcterms:modified": "2021-02-24T15:20+09:00",
"description": "Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.\r\n*Cross-site scripting vulnerability in Role authority setting screen (CWE-79) - CVE-2021-20663\r\n*Cross-site scripting vulnerability in Asset registration screen (CWE-79) - CVE-2021-20664\r\n*Cross-site scripting vulnerability in Add asset screen of Contents field (CWE-79) - CVE-2021-20665\r\n\r\nSix Apart Ltd. reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000017.html",
"sec:cpe": [
{
"#text": "cpe:/a:sixapart:movable_type",
"@product": "Movable Type",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_advanced",
"@product": "Movable Type Advanced",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_premium",
"@product": "Movable Type Premium",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_premium_advanced",
"@product": "Movable Type Premium Advanced",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
}
],
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000017",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN66542874/index.html",
"@id": "JVN#66542874",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20663",
"@id": "CVE-2021-20663",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20664",
"@id": "CVE-2021-20664",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20665",
"@id": "CVE-2021-20665",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20663",
"@id": "CVE-2021-20663",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20664",
"@id": "CVE-2021-20664",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20665",
"@id": "CVE-2021-20665",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple cross-site scripting vulnerabilities in Movable Type"
}
jvndb-2025-000014
Vulnerability from jvndb
Published
2025-02-19 16:19
Modified
2025-02-19 16:19
Severity ?
Summary
Multiple cross-site scripting vulnerabilities in Movable Type
Details
Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.
<ul><li>Stored cross-site scripting vulnerability in the custom block edit page of MT Block Editor (CWE-79) - CVE-2025-22888</li>
<li>Stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor (CWE-79) - CVE-2025-24841</li>
<ul><li>affected when TinyMCE6 is used as a rich text editor</li></ul>
<li>Reflected cross-site scripting vulnerability in the user information edit page (CWE-79) - CVE-2025-25054</li>
<ul><li>affected when Multi-Factor authentication plugin for Sign-in is enabled</li></ul></ul>
LEE BEOMSEOK of KOIWAI DAIRY PRODUCTS CO., LTD. found and reported CVE-2025-25054 to Six Apart Ltd. directly.
Six Apart Ltd. found CVE-2025-22888 and CVE-2025-24841.
Six Apart Ltd. coordinated with JPCERT/CC to notify users of the solution through JVN.
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000014.html",
"dc:date": "2025-02-19T16:19+09:00",
"dcterms:issued": "2025-02-19T16:19+09:00",
"dcterms:modified": "2025-02-19T16:19+09:00",
"description": "Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the custom block edit page of MT Block Editor (CWE-79) - CVE-2025-22888\u003c/li\u003e\r\n\u003cli\u003eStored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor (CWE-79) - CVE-2025-24841\u003c/li\u003e\r\n\u003cul\u003e\u003cli\u003eaffected when TinyMCE6 is used as a rich text editor\u003c/li\u003e\u003c/ul\u003e\r\n\u003cli\u003eReflected cross-site scripting vulnerability in the user information edit page (CWE-79) - CVE-2025-25054\u003c/li\u003e\r\n\u003cul\u003e\u003cli\u003eaffected when Multi-Factor authentication plugin for Sign-in is enabled\u003c/li\u003e\u003c/ul\u003e\u003c/ul\u003e\r\n\r\nLEE BEOMSEOK of KOIWAI DAIRY PRODUCTS CO., LTD. found and reported CVE-2025-25054 to Six Apart Ltd. directly.\r\nSix Apart Ltd. found CVE-2025-22888 and CVE-2025-24841.\r\nSix Apart Ltd. coordinated with JPCERT/CC to notify users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000014.html",
"sec:cpe": [
{
"#text": "cpe:/a:sixapart:movable_type",
"@product": "Movable Type",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_advanced",
"@product": "Movable Type Advanced",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_premium",
"@product": "Movable Type Premium",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_premium_advanced",
"@product": "Movable Type Premium (Advanced Edition)",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000014",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN48742353/index.html",
"@id": "JVN#48742353",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-22888",
"@id": "CVE-2025-22888",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-24841",
"@id": "CVE-2025-24841",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-25054",
"@id": "CVE-2025-25054",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple cross-site scripting vulnerabilities in Movable Type"
}
jvndb-2020-000009
Vulnerability from jvndb
Published
2020-02-06 12:29
Modified
2020-02-06 12:29
Severity ?
Summary
Movable Type vulnerable to cross-site scripting
Details
Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability (CWE-79) in block editor and rich text editor.
Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN94435544/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5528 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2020-5528 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000009.html",
"dc:date": "2020-02-06T12:29+09:00",
"dcterms:issued": "2020-02-06T12:29+09:00",
"dcterms:modified": "2020-02-06T12:29+09:00",
"description": "Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability (CWE-79) in block editor and rich text editor.\r\n\r\nSix Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000009.html",
"sec:cpe": [
{
"#text": "cpe:/a:sixapart:movable_type",
"@product": "Movable Type",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_advanced",
"@product": "Movable Type Advanced",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_premium",
"@product": "Movable Type Premium",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_premium_advanced",
"@product": "Movable Type Premium Advanced",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
}
],
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000009",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN94435544/index.html",
"@id": "JVN#94435544",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5528",
"@id": "CVE-2020-5528",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5528",
"@id": "CVE-2020-5528",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Movable Type vulnerable to cross-site scripting"
}
jvndb-2023-000105
Vulnerability from jvndb
Published
2023-10-25 15:18
Modified
2024-05-10 17:47
Severity ?
Summary
Movable Type vulnerable to cross-site scripting
Details
Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability (CWE-79).
Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN39139884/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2023-45746 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2023-45746 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000105.html",
"dc:date": "2024-05-10T17:47+09:00",
"dcterms:issued": "2023-10-25T15:18+09:00",
"dcterms:modified": "2024-05-10T17:47+09:00",
"description": "Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nSix Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000105.html",
"sec:cpe": [
{
"#text": "cpe:/a:sixapart:movable_type",
"@product": "Movable Type",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_advanced",
"@product": "Movable Type Advanced",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_premium",
"@product": "Movable Type Premium",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/a:sixapart:movable_type_premium_advanced",
"@product": "Movable Type Premium (Advanced Edition)",
"@vendor": "Six Apart, Ltd.",
"@version": "2.2"
}
],
"sec:cvss": [
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000105",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN39139884/index.html",
"@id": "JVN#39139884",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45746",
"@id": "CVE-2023-45746",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45746",
"@id": "CVE-2023-45746",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Movable Type vulnerable to cross-site scripting"
}