CVE-2022-38078
high-risk
Published 2022-08-24
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
Do I need to act?
~
5.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (6)
Affected Vendors
References (4)
Third Party Advisory
https://jvn.jp/en/jp/JVN57728859/index.html
Vendor Advisory
https://movabletype.org/news/2022/08/mt-795-687-released.html
Third Party Advisory
https://jvn.jp/en/jp/JVN57728859/index.html
Vendor Advisory
https://movabletype.org/news/2022/08/mt-795-687-released.html
53
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
8/34 · Low
Exposure
13/34 · Low