Vulnerability-Lookup

CVE-2021-20664 (GCVE-0-2021-20664)

Vulnerability from cvelistv5 – Published: 2021-03-05 09:20 – Updated: 2024-08-03 17:45

Summary

Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.

Severity ?

No CVSS data available.

CWE

Cross-site scripting

Assigner

jpcert

References

URL

	Vendor	Product	Version
	Six Apart Ltd.	Movable Type	Affected: Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier

GHSA-PWW3-VWVW-Q638

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-20664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-05T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.",
  "id": "GHSA-pww3-vwvw-q638",
  "modified": "2022-05-24T17:43:44Z",
  "published": "2022-05-24T17:43:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20664"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN66542874/index.html"
    },
    {
      "type": "WEB",
      "url": "https://movabletype.org/news/2021/02/mt-760-676-released.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

FKIE_CVE-2021-20664

Vulnerability from fkie_nvd - Published: 2021-03-05 10:15 - Updated: 2024-11-21 05:46

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN66542874/index.html	Third Party Advisory
vultures@jpcert.or.jp	https://movabletype.org/news/2021/02/mt-760-676-released.html	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/jp/JVN66542874/index.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://movabletype.org/news/2021/02/mt-760-676-released.html	Release Notes, Vendor Advisory

Impacted products

Vendor	Product	Version
movabletype	movable_type	*
movabletype	movable_type	*
movabletype	movable_type_advanced	*
movabletype	movable_type_premium	*
movabletype	movable_type_premium_advanced	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:movabletype:movable_type:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E6A3188-DAC7-4AF9-9CEC-503A1AF0AC2C",
              "versionEndIncluding": "6.7.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:movabletype:movable_type:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "698F51C3-0429-4431-88A5-728A3069D02B",
              "versionEndIncluding": "7.4705",
              "versionStartIncluding": "7.0000",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:movabletype:movable_type_advanced:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "00880E0E-D684-4CEB-8456-0974C050C57A",
              "versionEndIncluding": "7.4705",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:movabletype:movable_type_premium:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "00701C5D-F374-4FE2-8617-9EE8708308C6",
              "versionEndIncluding": "1.39",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:movabletype:movable_type_premium_advanced:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F76DB403-8212-43C2-B82D-C045306F3C69",
              "versionEndIncluding": "1.39",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de tipo cross-site scripting en la pantalla de registro Asset de Movable Type 7 r.4705 y anteriores (Movable Type 7 Series), Movable Type Advanced 7 r.4705 y anteriores (Movable Type Advanced 7 Series), Movable Type versiones 6.7.5 y anteriores (Movable Type 6.7 Series), Movable Type Premium versiones 1.39 y anteriores, y Movable Type Premium Advanced versiones 1.39 y anteriores, permiten a atacantes remotos inyectar script arbitrario por medio de vectores no especificados"
    }
  ],
  "id": "CVE-2021-20664",
  "lastModified": "2024-11-21T05:46:58.233",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-03-05T10:15:12.783",
  "references": [
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN66542874/index.html"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://movabletype.org/news/2021/02/mt-760-676-released.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN66542874/index.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://movabletype.org/news/2021/02/mt-760-676-released.html"
    }
  ],
  "sourceIdentifier": "vultures@jpcert.or.jp",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-20664

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-20664

Aliases

CVE-2021-20664

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-20664",
    "description": "Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.",
    "id": "GSD-2021-20664"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-20664"
      ],
      "details": "Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.",
      "id": "GSD-2021-20664",
      "modified": "2023-12-13T01:23:12.351766Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2021-20664",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Movable Type",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Six Apart Ltd."
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-site scripting"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://jvn.jp/en/jp/JVN66542874/index.html",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/jp/JVN66542874/index.html"
          },
          {
            "name": "https://movabletype.org/news/2021/02/mt-760-676-released.html",
            "refsource": "MISC",
            "url": "https://movabletype.org/news/2021/02/mt-760-676-released.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:movabletype:movable_type:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.7.5",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:movabletype:movable_type:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "7.4705",
                "versionStartIncluding": "7.0000",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:movabletype:movable_type_advanced:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "7.4705",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:movabletype:movable_type_premium:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.39",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:movabletype:movable_type_premium_advanced:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.39",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2021-20664"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jvn.jp/en/jp/JVN66542874/index.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://jvn.jp/en/jp/JVN66542874/index.html"
            },
            {
              "name": "https://movabletype.org/news/2021/02/mt-760-676-released.html",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://movabletype.org/news/2021/02/mt-760-676-released.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2021-03-22T20:06Z",
      "publishedDate": "2021-03-05T10:15Z"
    }
  }
}

CNVD-2022-22653

Vulnerability from cnvd - Published: 2022-03-25

Title

Six Apart Movable Type跨站脚本漏洞（CNVD-2022-22653）

Description

Six Apart Movable Type是美国Six Apart公司的一个应用系统。提供包含多用户，评论，引用(TrackBack)，主题等功能。 Six Apart Movable Type多款产品存在跨站脚本漏洞，该漏洞源于WEB应用缺少对客户端数据的正确验证，攻击者可利用该漏洞通过未指定的向量注入任意脚本。

Severity

中

Patch Name

Six Apart Movable Type跨站脚本漏洞（CNVD-2022-22653）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://movabletype.org/news/2021/02/mt-760-676-released.html

Reference

https://jvn.jp/en/jp/JVN66542874/index.html

Impacted products

Name
['Six Apart Movable Type <=7 r.4705', 'Six Apart Movable Type <=6.7.5', 'Six Apart Movable Type Advanced <=7 r.4705', 'Six Apart Movable Type Premium <=1.39', 'Six Apart Movable Type Premium Advanced <=1.39']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-20664",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-20664"
    }
  },
  "description": "Six Apart Movable Type\u662f\u7f8e\u56fdSix Apart\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u7cfb\u7edf\u3002\u63d0\u4f9b\u5305\u542b\u591a\u7528\u6237\uff0c\u8bc4\u8bba\uff0c\u5f15\u7528(TrackBack)\uff0c\u4e3b\u9898\u7b49\u529f\u80fd\u3002\n\nSix Apart Movable Type\u591a\u6b3e\u4ea7\u54c1\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u672a\u6307\u5b9a\u7684\u5411\u91cf\u6ce8\u5165\u4efb\u610f\u811a\u672c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://movabletype.org/news/2021/02/mt-760-676-released.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-22653",
  "openTime": "2022-03-25",
  "patchDescription": "Six Apart Movable Type\u662f\u7f8e\u56fdSix Apart\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u7cfb\u7edf\u3002\u63d0\u4f9b\u5305\u542b\u591a\u7528\u6237\uff0c\u8bc4\u8bba\uff0c\u5f15\u7528(TrackBack)\uff0c\u4e3b\u9898\u7b49\u529f\u80fd\u3002\r\n\r\nSix Apart Movable Type\u591a\u6b3e\u4ea7\u54c1\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u672a\u6307\u5b9a\u7684\u5411\u91cf\u6ce8\u5165\u4efb\u610f\u811a\u672c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Six Apart Movable Type\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-22653\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Six Apart Movable Type \u003c=7 r.4705",
      "Six Apart Movable Type \u003c=6.7.5",
      "Six Apart Movable Type Advanced \u003c=7 r.4705",
      "Six Apart Movable Type Premium \u003c=1.39",
      "Six Apart Movable Type Premium Advanced \u003c=1.39"
    ]
  },
  "referenceLink": "https://jvn.jp/en/jp/JVN66542874/index.html",
  "serverity": "\u4e2d",
  "submitTime": "2021-03-11",
  "title": "Six Apart Movable Type\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-22653\uff09"
}

JVNDB-2021-000017

Vulnerability from jvndb - Published: 2021-02-24 15:20 - Updated:2021-02-24 15:20

Severity ?

6.1 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

Multiple cross-site scripting vulnerabilities in Movable Type

Details

Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. *Cross-site scripting vulnerability in Role authority setting screen (CWE-79) - CVE-2021-20663 *Cross-site scripting vulnerability in Asset registration screen (CWE-79) - CVE-2021-20664 *Cross-site scripting vulnerability in Add asset screen of Contents field (CWE-79) - CVE-2021-20665 Six Apart Ltd. reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN66542874/index.html
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20663
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20664
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20665
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20663
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20664
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20665
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

	Six Apart, Ltd.	Movable Type
	Six Apart, Ltd.	Movable Type Advanced
	Six Apart, Ltd.	Movable Type Premium
	Six Apart, Ltd.	Movable Type Premium (Advanced Edition)

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000017.html",
  "dc:date": "2021-02-24T15:20+09:00",
  "dcterms:issued": "2021-02-24T15:20+09:00",
  "dcterms:modified": "2021-02-24T15:20+09:00",
  "description": "Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below.\r\n*Cross-site scripting vulnerability in Role authority setting screen (CWE-79) - CVE-2021-20663\r\n*Cross-site scripting vulnerability in Asset registration screen (CWE-79) - CVE-2021-20664\r\n*Cross-site scripting vulnerability in Add asset screen of Contents field (CWE-79) - CVE-2021-20665\r\n\r\nSix Apart Ltd. reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000017.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:sixapart:movable_type",
      "@product": "Movable Type",
      "@vendor": "Six Apart, Ltd.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:sixapart:movable_type_advanced",
      "@product": "Movable Type Advanced",
      "@vendor": "Six Apart, Ltd.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:sixapart:movable_type_premium",
      "@product": "Movable Type Premium",
      "@vendor": "Six Apart, Ltd.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:sixapart:movable_type_premium_advanced",
      "@product": "Movable Type Premium (Advanced Edition)",
      "@vendor": "Six Apart, Ltd.",
      "@version": "2.2"
    }
  ],
  "sec:cvss": [
    {
      "@score": "2.6",
      "@severity": "Low",
      "@type": "Base",
      "@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "6.1",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2021-000017",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN66542874/index.html",
      "@id": "JVN#66542874",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20663",
      "@id": "CVE-2021-20663",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20664",
      "@id": "CVE-2021-20664",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20665",
      "@id": "CVE-2021-20665",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20663",
      "@id": "CVE-2021-20663",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20664",
      "@id": "CVE-2021-20664",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20665",
      "@id": "CVE-2021-20665",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "Multiple cross-site scripting vulnerabilities in Movable Type"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-20664 (GCVE-0-2021-20664)

GHSA-PWW3-VWVW-Q638

FKIE_CVE-2021-20664

GSD-2021-20664

CNVD-2022-22653

JVNDB-2021-000017

Tags

Sightings

Nomenclature