Vulnerability Details : CVE-2012-0317
Multiple cross-site request forgery (CSRF) vulnerabilities in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow remote attackers to hijack the authentication of arbitrary users for requests that modify data via the (1) commenting feature or (2) community script.
Vulnerability category: Cross-site request forgery (CSRF)
Exploit prediction scoring system (EPSS) score for CVE-2012-0317
Probability of exploitation activity in the next 30 days: 0.33%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 67 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2012-0317
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2012-0317
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0317
-
http://jvndb.jvn.jp/jvndb/JVNDB-2012-000015
JVNDB-2012-000015 - JVN iPedia - 脆弱性対策情報データベース
-
http://www.movabletype.org/documentation/appendices/release-notes/513.html
MovableType.org – Documentation: Movable Type 5.13, 5.07, and 4.38 Release NotesPatch;Vendor Advisory
-
http://www.securitytracker.com/id?1026738
Movable Type Flaws Permit Remote Authenticated Command Injection and Remote Cross-Site Scripting and Cross-Site Request Forgery Attacks - SecurityTracker
-
http://www.securityfocus.com/bid/52138
Movable Type Multiple Remote Vulnerabilities
-
http://jvn.jp/en/jp/JVN70683217/index.html
JVN#70683217: Movable Type vulnerable to cross-site request forgery
-
http://www.debian.org/security/2012/dsa-2423
Debian -- Security Information -- DSA-2423-1 movabletype-opensource
-
http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html
MovableType.org – News: Movable Type 5.13, 5.07, and 4.38 Security UpdatesPatch;Vendor Advisory
Products affected by CVE-2012-0317
- cpe:2.3:a:sixapart:movable_type:*:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:*:*:enterprise:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.25:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.23:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.01:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.15:beta1:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.15:beta3:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.15:beta4:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.24:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.26:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.35:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.36:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.1:beta:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.2:rc4:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.261:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.27:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.22:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.291:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.292:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:beta:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.12:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.2:rc5:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.28:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.29:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.05:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.031:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.04:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.02:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.03:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.04:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.02:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.01:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.29:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.28:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.12:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.11:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.0:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.051:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.05:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.292:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.291:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.1:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.06:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.361:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.36:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.28:*:enterprise:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.291:*:enterprise:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.29:*:enterprise:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.12:*:advanced:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.11:*:advanced:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.1:*:advanced:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.06:*:advanced:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.04:*:advanced:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.02:*:advanced:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.051:*:advanced:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.05:*:advanced:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.12:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.11:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.1:beta:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.051:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.361:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.07:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:5.06:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.37:*:*:*:*:*:*:*