CVE-2021-20813

Vulnerability

CVE-2021-20813 is a cross-site scripting (XSS) vulnerability present in the Edit screen of Content Data in Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) [1][2]. The issue arises due to insufficient input sanitization in the Content Data editing interface, enabling injection of arbitrary script or HTML via unspecified vectors [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious input that is then stored and later rendered in the Edit screen of Content Data [1]. The attack requires user interaction, such as a victim accessing the affected Edit screen after the malicious content has been saved, and no authentication is required for the initial injection (though the injected payload is stored and executed when an authenticated user views the edited content) [1]. The CVSS v3 base score is 6.1, with a network attack vector and low attack complexity [1].

Impact

Successful exploitation allows a remote attacker to inject arbitrary script or HTML into the context of the Edit screen [1]. This can lead to the execution of malicious scripts in the victim's browser, potentially resulting in session hijacking, defacement, or theft of sensitive information within the Movable Type application, as the attacker's payload executes with the privileges of the viewing user [1].

Mitigation

Users should upgrade to Movable Type 7 r.5001 (v7.8.0) or Movable Type Advanced 7 r.5001 (v7.8.0) [2]. For those on the Movable Type 6 series, upgrading to version 6.8.1 is recommended, as these releases include security fixes for CVE-2021-20813 along with other vulnerabilities [2]. No workarounds are detailed in the available references.