A vulnerability, which was classified as critical, was found in Movable Type 7, Type Premium and Type Premium Advanced (version unknown). Affected is an unknown function of the component URL Handler. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Having a user to access a specially crafted URL may allow a remote unauthenticated attacker to set a specially crafted URL to the Reset Password page and conduct a phishing attack. Affected products/versions are as follows: Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type 6.8.7 and earlier (Movable Type 6 Series), Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier.

The weakness was published 12/07/2022. The advisory is shared for download at jvn.jp. This vulnerability is traded as CVE-2022-45113 since 11/15/2022. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

Upgrading eliminates this vulnerability. The upgrade is hosted for download at movabletype.org.

Productinfo

Vendor

• Movable

Name

• Type 7
• Type Premium
• Type Premium Advanced

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion