Vulnerability Details : CVE-2022-38972
Cross-site scripting vulnerability in Movable Type plugin A-Form versions prior to 4.1.1 (for Movable Type 7 Series) and versions prior to 3.9.1 (for Movable Type 6 Series) allows a remote unauthenticated attacker to inject an arbitrary script.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-38972
- cpe:2.3:a:ark-web:a-form:*:*:*:*:*:movable_type_7_series:*:*
- cpe:2.3:a:ark-web:a-form:*:*:*:*:*:movable_type_6_series:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-38972
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-38972
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2022-38972
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-38972
-
https://www.ark-web.jp/movabletype/blog/2022/09/a-series-411-391.html
Movable Typeブログ-リリースノート:A-Form PC 4.1.1/3.9.1, A-Member 4.1.1/3.9.1, A-Reserve 4.1.1/3.9.1, A-Memberサブスクリプションパック 1.005:Web制作のアークウェブ(東京都中央区)Vendor Advisory
-
https://jvn.jp/en/jp/JVN48120704/index.html
JVN#48120704: Movable Type plugin A-Form vulnerable to cross-site scriptingThird Party Advisory
-
https://www.ark-web.jp/blog/archives/2022/09/a-series-411-391.html
MTプラグインAシリーズ:新バージョン4.1.1/3.9.1(脆弱性対応版)リリースのお知らせ : アークウェブのブログVendor Advisory
Jump to