CVE-2021-20808
Description
Cross-site scripting vulnerability in Search screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Movable Type Search screen allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Vulnerability
CVE-2021-20808 is a cross-site scripting (XSS) vulnerability in the Search screen of Movable Type. The issue affects Movable Type 7 r.4903 and earlier (7 Series), Movable Type 6.8.0 and earlier (6 Series), Movable Type Advanced 7 r.4903 and earlier, Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier [1]. The vulnerability is classified as CWE-79 [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious link or input that, when processed by the Search screen, injects arbitrary script or HTML. The attack requires user interaction (e.g., clicking a link) and can be performed remotely without authentication [1]. The CVSS v3 base score is 6.1 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [1].
Impact
Successful exploitation allows the attacker to execute arbitrary script in the context of the victim's browser, potentially leading to information disclosure (e.g., session tokens) or defacement. The impact is limited to the user's session and does not directly compromise the server [1].
Mitigation
The vendor released fixed versions: Movable Type 7 r.5001 (v7.8.0) and Movable Type 6.8.1 [2]. Users should upgrade to these versions or later. No workarounds are mentioned in the references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Six Apart Ltd./Movable Typev5Range: Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- jvn.jp/en/jp/JVN97545738/index.htmlmitrex_refsource_MISC
- movabletype.org/news/2021/08/mt-780-681-released.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.