CVE-2021-20810
Description
Cross-site scripting vulnerability in Website Management screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier) allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Movable Type's Website Management screen allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Website Management screen of Movable Type. Affected versions include Movable Type 7 r.4903 and earlier (7 Series), Movable Type 6.8.0 and earlier (6 Series), Movable Type Advanced 7 r.4903 and earlier (Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier [1]. The vulnerability is triggered via unspecified vectors, allowing injection of arbitrary script or HTML [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious input or link that, when accessed by a user with access to the Website Management screen, executes injected script. The attack requires no authentication but relies on user interaction (e.g., clicking a link) [1]. The CVSS v3 base score is 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), indicating low complexity and network access [1].
Impact
Successful exploitation allows the attacker to execute arbitrary script in the victim's browser within the context of the Movable Type application. This can lead to disclosure of sensitive information, session hijacking, or other client-side attacks. The impact is limited to low confidentiality and low integrity, with a changed scope [1].
Mitigation
Six Apart released fixed versions: Movable Type 7 r.5001 (v7.8.0) and Movable Type 6.8.1 on August 25, 2021 [2]. Users should upgrade to these versions or later. No workarounds are documented in the available references [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: Movable Type 7 series <= r.4903, Movable Type 6 series <= 6.8.0, Movable Type Advanced 7 series <= r.4903, Movable Type Premium <= 1.44, Movable Type Premium Advanced <= 1.44
- Six Apart Ltd./Movable Typev5Range: Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- jvn.jp/en/jp/JVN97545738/index.htmlmitrex_refsource_MISC
- movabletype.org/news/2021/08/mt-780-681-released.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.