{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-45746", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2023-10-12T05:42:52.133Z", "datePublished": "2023-10-30T04:57:43.561Z", "dateUpdated": "2023-10-30T04:57:43.561Z"}, "containers": {"cna": {"affected": [{"vendor": "Six Apart Ltd.", "product": "Movable Type 7 (Movable Type 7 Series)", "versions": [{"version": "r.5405 and earlier", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Advanced 7 (Movable Type 7 Series)", "versions": [{"version": "r.5405 and earlier", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Premium", "versions": [{"version": "1.58 and earlier", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Premium Advanced", "versions": [{"version": "1.58 and earlier", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Cloud Edition (Version 7)", "versions": [{"version": "r.5405 and earlier", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Premium Cloud Edition", "versions": [{"version": "1.58 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting vulnerability in Movable Type series allows a remote authenticated attacker to inject an arbitrary script. Affected products/versions are as follows: Movable Type 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Premium 1.58 and earlier, Movable Type Premium Advanced 1.58 and earlier, Movable Type Cloud Edition (Version 7) r.5405 and earlier, and Movable Type Premium Cloud Edition 1.58 and earlier."}], "problemTypes": [{"descriptions": [{"description": "Cross-site scripting (XSS)", "lang": "en", "type": "text"}]}], "references": [{"url": "https://movabletype.org/news/2023/10/mt-79020-released.html"}, {"url": "https://jvn.jp/en/jp/JVN39139884/"}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2023-10-30T04:57:43.561Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sixapart:movable_type:*:*:*:*:*:*:*:*", "matchCriteriaId": "D242B396-0197-493E-9CE5-4EBB5A5CF36E", "versionEndExcluding": "7.902.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sixapart:movable_type:*:*:*:*:advanced:*:*:*", "matchCriteriaId": "9BEB4B78-5B34-4270-BF2D-BD3D0F096D36", "versionEndExcluding": "7.902.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium:*:*:*", "matchCriteriaId": "6F1DEC6D-4344-4258-BF96-5AB5FFCBED42", "versionEndExcluding": "1.59", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium_advanced:*:*:*", "matchCriteriaId": "0E4BC7F6-287E-4CA1-9E0A-4B5CB968A2D8", "versionEndExcluding": "1.59", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sixapart:movable_type:*:*:*:*:aws:*:*:*", "matchCriteriaId": "7E6E65B7-1E20-4564-A045-7BB7DD8B3A09", "versionEndExcluding": "7.902.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sixapart:movable_type:*:*:*:*:advanced_aws:*:*:*", "matchCriteriaId": "2877D685-C71B-4E0B-96AB-9CC6B68EEF8B", "versionEndExcluding": "1.59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting vulnerability in Movable Type series allows a remote authenticated attacker to inject an arbitrary script. Affected products/versions are as follows: Movable Type 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Premium 1.58 and earlier, Movable Type Premium Advanced 1.58 and earlier, Movable Type Cloud Edition (Version 7) r.5405 and earlier, and Movable Type Premium Cloud Edition 1.58 and earlier."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en la serie Movable Type permite a un atacante remoto autenticado inyectar un script arbitrario. Los productos/versiones afectados son los siguientes: \nMovable Type 7 r.5405 y anteriores (Serie Movable Type 7)\nMovable Type Advanced 7 r.5405 y anteriores (Serie Movable Type 7)\nMovable Type Premium 1.58 y anteriores, Movable Type Premium Advanced 1.58 y anteriores\nMovable Type Cloud Edition (Versi\u00f3n 7) r.5405 y anteriores\nMovable Type Premium Cloud Edition 1.58 y anteriores."}], "id": "CVE-2023-45746", "lastModified": "2023-11-08T12:49:08.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-30T05:15:09.993", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN39139884/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Release Notes"], "url": "https://movabletype.org/news/2023/10/mt-79020-released.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}