VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 7, 2022· Updated Apr 23, 2025

CVE-2022-43660

CVE-2022-43660

Description

Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an arbitrary Perl script and/or an arbitrary OS command. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Server-Side Include injection in Movable Type allows authenticated attackers with 'Manage of Content Types' privilege to execute arbitrary Perl scripts or OS commands.

Vulnerability

Movable Type suffers from an improper neutralization of Server-Side Includes (SSI) within a web page, identified as CVE-2022-43660. The vulnerability exists due to insufficient sanitization of user-supplied input in content types, allowing the injection of SSI directives. Affected versions include Movable Type 7 r.5301 and earlier (7 Series), Movable Type Advanced 7 r.5301 and earlier (Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier [1].

Exploitation

An attacker must be authenticated and possess the 'Manage of Content Types' privilege. By crafting malicious SSI directives within a content type, the attacker can inject arbitrary Perl script or OS commands. The attack does not require user interaction and can be performed over the network with low complexity [1].

Impact

Successful exploitation allows the attacker to execute arbitrary Perl scripts or OS commands on the server. This leads to a full compromise of confidentiality, integrity, and availability, as the attacker can read, modify, or delete data, install malware, or pivot to other systems [1].

Mitigation

Six Apart released fixes in Movable Type 7 r.5401 (v7.9.6) and Movable Type Advanced 7 r.5401 (v7.9.6) on November 16, 2022. Users are strongly advised to upgrade to these versions or later. For Movable Type Premium and Premium Advanced, corresponding updates should be applied as provided by the vendor. No workarounds are documented [2].

References
  1. Multiple vulnerabilities in Movable Type
  2. Movable Type 7 r.5401 (v7.9.6), v6.8.8: Security update

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Movabletype/Movable Type 7llm-create
    Range: <=7 r.5301
  • Six Apart Ltd./Movable Typev5
    Range: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.