jvndb-2025-000014
Vulnerability from jvndb
Published
2025-02-19 16:19
Modified
2025-02-19 16:19
Severity ?
6.1 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Multiple cross-site scripting vulnerabilities in Movable Type
Details
Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. <ul><li>Stored cross-site scripting vulnerability in the custom block edit page of MT Block Editor (CWE-79) - CVE-2025-22888</li> <li>Stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor (CWE-79) - CVE-2025-24841</li> <ul><li>affected when TinyMCE6 is used as a rich text editor</li></ul> <li>Reflected cross-site scripting vulnerability in the user information edit page (CWE-79) - CVE-2025-25054</li> <ul><li>affected when Multi-Factor authentication plugin for Sign-in is enabled</li></ul></ul> LEE BEOMSEOK of KOIWAI DAIRY PRODUCTS CO., LTD. found and reported CVE-2025-25054 to Six Apart Ltd. directly. Six Apart Ltd. found CVE-2025-22888 and CVE-2025-24841. Six Apart Ltd. coordinated with JPCERT/CC to notify users of the solution through JVN.
References
JVN https://jvn.jp/en/jp/JVN48742353/index.html
CVE https://www.cve.org/CVERecord?id=CVE-2025-22888
CVE https://www.cve.org/CVERecord?id=CVE-2025-24841
CVE https://www.cve.org/CVERecord?id=CVE-2025-25054
Cross-site Scripting(CWE-79) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Impacted products
Six Apart, Ltd.Movable Type
Six Apart, Ltd.Movable Type Advanced
Six Apart, Ltd.Movable Type Premium
Six Apart, Ltd.Movable Type Premium (Advanced Edition)
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000014.html",
  "dc:date": "2025-02-19T16:19+09:00",
  "dcterms:issued": "2025-02-19T16:19+09:00",
  "dcterms:modified": "2025-02-19T16:19+09:00",
  "description": "Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the custom block edit page of MT Block Editor (CWE-79) - CVE-2025-22888\u003c/li\u003e\r\n\u003cli\u003eStored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor (CWE-79) - CVE-2025-24841\u003c/li\u003e\r\n\u003cul\u003e\u003cli\u003eaffected when TinyMCE6 is used as a rich text editor\u003c/li\u003e\u003c/ul\u003e\r\n\u003cli\u003eReflected cross-site scripting vulnerability in the user information edit page (CWE-79) - CVE-2025-25054\u003c/li\u003e\r\n\u003cul\u003e\u003cli\u003eaffected when Multi-Factor authentication plugin for Sign-in is enabled\u003c/li\u003e\u003c/ul\u003e\u003c/ul\u003e\r\n\r\nLEE BEOMSEOK of KOIWAI DAIRY PRODUCTS CO., LTD. found and reported CVE-2025-25054 to Six Apart Ltd. directly.\r\nSix Apart Ltd. found CVE-2025-22888 and CVE-2025-24841.\r\nSix Apart Ltd. coordinated with JPCERT/CC to notify users of the solution through JVN.",
  "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000014.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:sixapart:movable_type",
      "@product": "Movable Type",
      "@vendor": "Six Apart, Ltd.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:sixapart:movable_type_advanced",
      "@product": "Movable Type Advanced",
      "@vendor": "Six Apart, Ltd.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:sixapart:movable_type_premium",
      "@product": "Movable Type Premium",
      "@vendor": "Six Apart, Ltd.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:sixapart:movable_type_premium_advanced",
      "@product": "Movable Type Premium (Advanced Edition)",
      "@vendor": "Six Apart, Ltd.",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "6.1",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2025-000014",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN48742353/index.html",
      "@id": "JVN#48742353",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-22888",
      "@id": "CVE-2025-22888",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-24841",
      "@id": "CVE-2025-24841",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-25054",
      "@id": "CVE-2025-25054",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "Multiple cross-site scripting vulnerabilities in Movable Type"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.