CVE-2020-5574
Description
HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier) allows remote attackers to inject arbitrary HTML attribute value via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Movable Type series before patched versions allow remote attackers to inject arbitrary HTML attribute values via unspecified vectors.
Vulnerability
An HTML attribute value injection vulnerability exists in Movable Type series, including Movable Type 7 r.4606 (7.2.1) and earlier, Movable Type Advanced 7 r.4606 (7.2.1) and earlier, Movable Type for AWS 7 r.4606 (7.2.1) and earlier, Movable Type 6.5.3 and earlier, Movable Type Advanced 6.5.3 and earlier, Movable Type 6.3.11 and earlier, Movable Type Advanced 6.3.11 and earlier, Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier [1]. The vulnerability allows remote attackers to inject arbitrary HTML attribute values via unspecified vectors [1].
Exploitation
An attacker can exploit this vulnerability remotely with no authentication required, but user interaction is required (e.g., clicking a crafted link) [1]. The exact mechanism for injection is not detailed, but it involves manipulating input such that arbitrary attribute values are inserted into HTML elements [1].
Impact
Successful exploitation allows the attacker to inject arbitrary HTML attribute values, leading to low integrity impact [1]. This could be used to alter page behavior or appearance, but does not directly compromise confidentiality or availability [1].
Mitigation
Movable Type has released patched versions: Movable Type 7 r.4607 (7.3.0), Movable Type 6.6.0, and Movable Type 6.3.12 [2]. Users should upgrade to these versions or later. No workarounds are provided [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <= 7.2.1
- Range: <= 7.2.1
- Six Apart Ltd./Movable Typev5Range: Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1) and earlier (Movable Type for AWS 7), Movable Type 6.5.3 and earlier (Movable Type 6.5), Movable Type Advanced 6.5.3 and earlier (Movable Type Advanced 6.5), Movable Type 6.3.11 and earlier (Movable Type 6.3), Movable Type Advanced 6.3.11 and earlier (Movable Type 6.3), Movable Type Premium 1.29 and earlier, and Movable Type Premium Advanced 1.29 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- jvn.jp/en/jp/JVN28806943/index.htmlmitrex_refsource_MISC
- movabletype.org/news/2020/05/mt-730-660-6312-released.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.