Description

Movable Type versions <= 6.0.6 and <= 5.2.11 are susceptible to LFI (local file inclusion) attacks due to a vulnerability of Storable perl module. It allows an attacker to include a file and run any perl script the web server.

Remediation

Upgrade to the latest version of Movable Type. Movable Type 5.0x and 5.1x has reached End of Life and is no longer supported. For users that are running any version of 5.0x and 5.1x, please upgrade to Movable Type 5.2.12.

References

Movable Type 6.0.7 And 5.2.12 Released To Close Security Vulnerability

Related Vulnerabilities

Drupal Core 8.8.x Remote Code Execution (8.8.0 - 8.8.11)

Cmd hijack vulnerability

Xdebug remote code execution via xdebug.remote_connect_back

CakePHP 1.3.5 / 1.2.8 unserialize() vulnerability

IBM WebSphere RCE Java Deserialization Vulnerability

Severity

High

Classification

CVE-2015-1592 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Code Execution Configuration