SQL Injection in Sixapart Movable_type

CVE-2014-9057

SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Vulnerability class: SQL Injection

EPSS: 0.004 (58.2th percentile) — read the EPSS interpretation.

Affected products

Sixapart Movable_type — versions 5.2, 5.2.2, 5.2.3
Debian Debian_linux — versions 7.0
N/a — versions n/a

Weakness classification (CWE)

CWE-89 — SQL Injection

References

61227 (x_refsource_SECUNIA, third-party-advisory)
DSA-3183 (vendor-advisory, x_refsource_DEBIAN)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)