Package: movabletype-opensource Version: 5.1.2+dfsg-3 Severity: grave Justification: security
http://www.movabletype.org/2012/02/movable_type_513_507_and_438_security_updates.html "5.13, 5.07, and 4.38 address the multiple vulnerabilities including: - OS Command Injection exists in the file management system, the most serious of which may lead to arbitrary OS command execution by a user who has a permission to sign-in to the admin script and also has a permission to upload files. - Session Hijack and CSRF exist in the commenting and the community script. A remote attacker could hijack the user session or could execute arbitrary script code on victim's browser under the certain circumstances. - XSS exists in templates where the variables are not escaped properly. A remote attacker could inject client-side script into web pages viewed by other users. - XSS exists in mt-wizard.cgi. This vulnerability was reported by Trustwave (TWSL2012-003) " -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
