漏洞信息详情

Six Apart Movable Type mt-wizard.cgi跨站脚本攻击漏洞

• CNNVD编号：CNNVD-200907-282
• 危害等级： 中危
  
• CVE编号： CVE-2009-2492
• 漏洞类型： 跨站脚本
• 发布时间： 2009-07-17
• 威胁类型： 远程
• 更新时间： 2009-07-17
• 厂        商： sixapart
• 漏洞来源： &

漏洞简介

在4.261版本以前的Six Apart Movable Type的mt-wizard.cgi存在跨站脚本攻击漏洞会允许远程攻击者通过未知向量来注入任意WEB脚本或HTML。该漏洞与CVE-2009-2480不同。

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

Movable Type Movable Type 4.24

Movable Type Movable Type 4.261

http://www.movabletype.org/download.HTML

Movable Type Movable Type 4.25

Movable Type Movable Type 4.261

http://www.movabletype.org/download.HTML

Movable Type Movable Type 4.26

Movable Type Movable Type 4.261

http://www.movabletype.org/download.HTML

Movable Type Movable Type 4.22

Movable Type Movable Type 4.261

http://www.movabletype.org/download.HTML

Movable Type Movable Type 4.13

Movable Type Movable Type 4.261

http://www.movabletype.org/download.HTML

Movable Type Movable Type 4

Movable Type Movable Type 4.261

http://www.movabletype.org/download.HTML

Movable Type Movable Type 4.21

Movable Type Movable Type 4.261

http://www.movabletype.org/download.HTML

Movable Type Movable Type 4.23

Movable Type Movable Type 4.261

http://www.movabletype.org/download.HTML

Movable Type Movable Type 4.01

Movable Type Movable Type 4.261

http://www.movabletype.org/download.HTML

参考网址

来源: VUPEN

名称: ADV-2009-1668

链接:http://www.vupen.com/english/advisories/2009/1668

来源: JVNDB

名称: JVNDB-2009-000042

链接:http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000042.HTML

来源: BID

名称: 35885

链接:http://www.securityfocus.com/bid/35885

来源: SECUNIA

名称: 35534

链接:http://secunia.com/advisories/35534

来源: JVN

名称: JVN#86472161

链接:http://jvn.jp/en/jp/JVN86472161/index.HTML

受影响实体

• Sixapart Movable_type:4.23:-:Community_solution  
• Sixapart Movable_type:4.21:-:Pro  
• Sixapart Movable_type:4.21:-:Community_solution  
• Sixapart Movable_type:4.21  
• Sixapart Movable_type:4.2:-:Pro  

补丁

暂无