#VU69360 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page in Six Apart Ltd products - CVE-2022-43660

Cybersecurity Help s.r.o.

Published: 2022-11-16

Vulnerability identifier: #VU69360

Vulnerability risk: Low

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-43660

CWE-ID: CWE-97

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Movable Type
Web applications / CMS
Movable Type Advanced
Web applications / CMS
Movable Type Premium
Web applications / CMS
Movable Type Premium Advanced
Web applications / CMS

Vendor: Six Apart Ltd

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to improper neutralization of server-side includes (SSI) within a web page. A remote administrator can execute an arbitrary Perl script and/or an arbitrary OS command.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Movable Type: r.5301

Movable Type Advanced: r.5301

Movable Type Premium: 1.53

Movable Type Premium Advanced: 1.53

External links
https://jvn.jp/en/jp/JVN37014768/index.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Six Apart Movable Type