VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 30, 2023· Updated Oct 29, 2024

CVE-2023-45746

CVE-2023-45746

Description

Cross-site scripting vulnerability in Movable Type series allows a remote authenticated attacker to inject an arbitrary script. Affected products/versions are as follows: Movable Type 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Premium 1.58 and earlier, Movable Type Premium Advanced 1.58 and earlier, Movable Type Cloud Edition (Version 7) r.5405 and earlier, and Movable Type Premium Cloud Edition 1.58 and earlier.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in Movable Type series allows authenticated attackers to inject arbitrary scripts; fixed in versions r.5501 and 1.59.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Movable Type series, including Movable Type 7 r.5405 and earlier, Movable Type Advanced 7 r.5405 and earlier, Movable Type Premium 1.58 and earlier, Movable Type Premium Advanced 1.58 and earlier, Movable Type Cloud Edition (Version 7) r.5405 and earlier, and Movable Type Premium Cloud Edition 1.58 and earlier [1][2]. The vulnerability allows an authenticated attacker to inject arbitrary script into the application, which may be executed in the context of another logged-in user's browser.

Exploitation

An attacker must be authenticated to the Movable Type instance. The attacker can craft malicious input that, when viewed by another authenticated user, executes arbitrary JavaScript in the victim's browser. The exact attack vector is not detailed in the available references, but it is classified as a stored or reflected XSS depending on the injection point [1].

Impact

Successful exploitation allows the attacker to execute arbitrary script in the context of the victim's session. This can lead to information disclosure (e.g., session tokens, cookies), unauthorized actions performed on behalf of the victim, or defacement of the application interface [1].

Mitigation

Six Apart has released updates that fix this vulnerability: Movable Type 7 r.5501, Movable Type Advanced 7 r.5501, Movable Type Premium 1.59, Movable Type Premium Advanced 1.59, Movable Type Cloud Edition (Version 7) r.5501, and Movable Type Premium Cloud Edition 1.59 [1][2]. Users should upgrade to these versions immediately. No workarounds are documented in the available references.

References
  1. Movable Type vulnerable to cross-site scripting
  2. Movable Type 7 r.5501 (v7.902.0): Security Update

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Movabletype/Movable Type 7llm-fuzzy
    Range: <= r.5405
  • Movabletype/Movable Type Prollm-fuzzy
    Range: <= 1.58
  • Six Apart Ltd./Movable Type 7 (Movable Type 7 Series)v5
    Range: r.5405 and earlier
  • Six Apart Ltd./Movable Type Advanced 7 (Movable Type 7 Series)v5
    Range: r.5405 and earlier
  • Six Apart Ltd./Movable Type Cloud Edition (Version 7)v5
    Range: r.5405 and earlier
  • Six Apart Ltd./Movable Type Premiumv5
    Range: 1.58 and earlier
  • Six Apart Ltd./Movable Type Premium Advancedv5
    Range: 1.58 and earlier
  • Six Apart Ltd./Movable Type Premium Cloud Editionv5
    Range: 1.58 and earlier

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.