CVE-2021-20809

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Create screens of Entry, Page, and Content Type in Movable Type. The flaw is present in Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier [1]. The vulnerability is classified as CWE-79 and allows injection of arbitrary script or HTML via unspecified vectors [1].

Exploitation

An attacker can exploit this vulnerability by convincing a user with administrative access to the affected Create screens to interact with a crafted input. The attack requires no authentication but relies on user interaction (e.g., clicking a link or viewing a malicious page). The CVSS v3 base score is 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), indicating low complexity and network access [1]. The exact sequence of steps is not detailed in the available references, but the vulnerability is triggered when the user submits or previews content in the Create screens.

Impact

Successful exploitation allows the attacker to execute arbitrary script or HTML in the context of the victim's browser session. This can lead to disclosure of sensitive information (e.g., session cookies), modification of page content, or further attacks against the Movable Type instance. The impact is limited to the scope of the affected application and user privileges [1].

Mitigation

Six Apart released fixed versions: Movable Type 7 r.5001 (v7.8.0) and Movable Type 6.8.1, which include security fixes for this vulnerability [2]. Users should upgrade to these versions or later. For Movable Type Premium and Premium Advanced, the advisory does not specify a fixed version; users should contact Six Apart for guidance. No workarounds are documented in the available references.