CVE-2021-20663

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and earlier [1]. The issue allows remote attackers to inject an arbitrary script via unspecified vectors, and is assigned CWE-79 [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication, but user interaction is needed (CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, base score 6.1) [1]. The specific attack vector is not detailed, but the vulnerability resides in the authority setting screen. The attacker must craft a malicious input that, when processed by the application, executes a script in the context of a logged-in user's browser upon viewing the affected page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary script in the web browser of a logged-in user [1]. This can lead to disclosure of sensitive information, session hijacking, or other actions that the victim user can perform on the Movable Type installation. The CVSS v3 impact indicates low confidentiality and low integrity impact on the scope-changed target system [1].

Mitigation

Users are advised to update to the latest fixed versions: Movable Type 7 r.4706 (v7.6.0) and Movable Type 6.7.6, released on 2021-02-24 [2]. Movable Type Premium and Premium Advanced users should also update to versions beyond 1.39 as provided by the vendor. No workarounds have been publicly disclosed for this vulnerability.