CVE-2021-20837: OS Command Injection
First published: Tue Oct 26 2021(Updated: )
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.
Credit: vultures@jpcert.or.jp
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sixapart Movable Type | <=1.46 | |
| Sixapart Movable Type | <=1.46 | |
| Sixapart Movable Type | >=4.0<=6.3.11 | |
| Sixapart Movable Type | >=6.5.0<=6.8.2 | |
| Sixapart Movable Type | >=6.5.0<=6.8.2 | |
| Sixapart Movable Type | >=7.0<=7.8.1 | |
| Sixapart Movable Type | >=7.0<=7.8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html
- http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html
- https://jvn.jp/en/jp/JVN41119755/index.html
- https://movabletype.org/news/2021/10/mt-782-683-released.html
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-20837.
What is the severity of CVE-2021-20837?
The severity of CVE-2021-20837 is critical with a severity value of 9.8.
Which software versions are affected by CVE-2021-20837?
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier are affected.
How to fix CVE-2021-20837?
Apply the latest security patch provided by Sixapart Movable Type.
Where can I find more information about CVE-2021-20837?
You can find more information about CVE-2021-20837 at the following references: [link1](http://packetstormsecurity.com/files/164705/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html), [link2](http://packetstormsecurity.com/files/164818/Movable-Type-7-r.5002-XMLRPC-API-Remote-Command-Injection.html), [link3](https://jvn.jp/en/jp/JVN41119755/index.html).
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/type
- agent/tags
- agent/event
- agent/author
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/sixapart
- canonical/sixapart movable type
- version/sixapart movable type/1.46
- version/sixapart movable type/4.0
- version/sixapart movable type/6.3.11
- version/sixapart movable type/6.5.0
- version/sixapart movable type/6.8.2
- version/sixapart movable type/7.0
- version/sixapart movable type/7.8.1