oss-sec mailing list archives
CVE request: MovableType before 5.2.12
From: John Lightsey <john () nixnuts net>
Date: Thu, 12 Feb 2015 07:25:38 -0600
Hi there, MoveableType 5.2.12 was released today to fix a flaw where Perl's Storable::thaw() was called on data sent by unauthenticated remote users in some interfaces. https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html The payload example provided to SixApart was a local file inclusion attack, but unauthenticated arbitrary remote code execution should be straightforward by tailoring the payload for the mix of Perl installed on the system running MTOS. Please assign a CVE number for this issue. John
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE request: MovableType before 5.2.12 John Lightsey (Feb 12)
- Re: CVE request: MovableType before 5.2.12 - Movable Type cve-assign (Feb 12)