CVE-2012-1497

The default configuration of Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 supports the "mt:Include file=" attribute, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files by leveraging the template-designer role.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:movabletype:movable_type_open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.0:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.0:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.1:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.1:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.01:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.2:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.2:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.3:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.23:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.25:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.26:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.31:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.32:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.33:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.34:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.35:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.36:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.261:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:4.361:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.1:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.02:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.03:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.04:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.05:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.06:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.11:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.12:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.031:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_open_source:5.051:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:movabletype:movable_type_enterprise:*:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.0:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.0:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.1:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.01:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.1:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.2:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.2:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.3:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.23:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.25:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.26:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.31:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.32:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.33:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.34:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.35:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.36:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.261:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:4.361:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.1:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.02:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.03:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.04:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.05:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.06:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.11:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.12:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.031:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_enterprise:5.051:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:movabletype:movable_type_advanced:*:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.0:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.0:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.1:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.01:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.1:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.2:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.2:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.3:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.23:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.25:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.26:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.31:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.32:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.33:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.34:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.35:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.36:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.261:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:4.361:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.1:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.02:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.03:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.04:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.05:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.06:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.11:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.12:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.031:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_advanced:5.051:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:movabletype:movable_type_pro:*:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.0:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.0:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.1:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.1:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.01:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.2:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.2:beta:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.3:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.23:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.25:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.26:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.31:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.32:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.33:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.34:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.35:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.36:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.261:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:4.361:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.1:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.02:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.03:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.04:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.05:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.06:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.11:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.12:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.031:*:*:*:*:*:*:*
cpe:2.3:a:movabletype:movable_type_pro:5.051:*:*:*:*:*:*:*

History

21 Nov 2024, 01:37

Type Values Removed Values Added
References () http://www.debian.org/security/2012/dsa-2423 - () http://www.debian.org/security/2012/dsa-2423 -
References () http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html - Patch, Vendor Advisory () http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html - Patch, Vendor Advisory
References () http://www.movabletype.org/documentation/appendices/release-notes/513.html - Patch, Vendor Advisory () http://www.movabletype.org/documentation/appendices/release-notes/513.html - Patch, Vendor Advisory

Information

Published : 2012-03-03 04:04

Updated : 2024-11-21 01:37


NVD link : CVE-2012-1497

Mitre link : CVE-2012-1497

CVE.ORG link : CVE-2012-1497


JSON object : View

Products Affected

movabletype

  • movable_type_enterprise
  • movable_type_open_source
  • movable_type_advanced
  • movable_type_pro
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')