Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jan 2014 06:49:04 +0100
From: Salvatore Bonaccorso <>
Cc: Dominic Hargreaves <>
Subject: CVE Request: cross-site scripting vulnerabilities in movable type
 6.0.1, 5.2.9, and 5.161


A movable type update to 6.0.1, 5.29 and 5.161 fixes cross-site
scripting attacks, from the announcement:

> The Rich Text Editor in previous versions of Movable Type 6 and
> Movable Type 5 are susceptible to cross-site scripting (XSS) attacks.
> A remote attacker can inject JavaScript into a page or entry in a
> Movable Type blog or website. This JavaScript can be executed on the
> client browser when that page or entry is subsequently displayed in
> the Rich Text Editor.
> These vulnerabilities were reported by a member of the Movable Type
> community, and were kept confidential until the release of the updated
> versions of Movable Type.


Looking trough the git repository at [1], there is at least [2] which
seems to indicate the fix for the 5.2.x branch (I cannot say tough if
this the complete one).


Debian Bugtracker reference is at [3].


Is there enough information to identify the vulnerability and to get a
CVE assigned for this issue?


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ