CVE-2021-20815

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Edit Boilerplate screen of Movable Type. This flaw affects Movable Type 7 r.4903 and earlier (7 Series), Movable Type 6.8.0 and earlier (6 Series), Movable Type Advanced 7 r.4903 and earlier (Advanced 7 Series), Movable Type Premium 1.44 and earlier, and Movable Type Premium Advanced 1.44 and earlier [1]. The vulnerability is triggered via unspecified vectors, allowing injection of arbitrary script or HTML.

Exploitation

An attacker can exploit this vulnerability by convincing a logged-in administrator or user with access to the Edit Boilerplate screen to interact with a crafted link or content. No authentication is required for the initial delivery, but the victim must be authenticated to the application for the injected script to execute in the context of their session [1]. The attack vector is network-based and requires user interaction (e.g., clicking a malicious link).

Impact

Successful exploitation allows the attacker to execute arbitrary script or HTML in the victim's browser within the security context of the affected Movable Type application. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page [1]. The CVSS v3 base score is 6.1 (Medium), with impacts on confidentiality and integrity, but not availability.

Mitigation

Six Apart released fixed versions: Movable Type 7 r.5001 (v7.8.0), Movable Type 6.8.1, and corresponding Advanced, Premium, and Premium Advanced updates [2]. Users should upgrade to these versions or later. No workarounds are documented; applying the vendor-supplied patch is the recommended mitigation [1][2].