Primary

Context

Movable Type Password Reset Email Forgery Vulnerability

Vulnerability

Patched

A vulnerability exists in Movable Type versions 8.0.0 to 8.0.6, 8.4.0 to 8.4.2, and several 7.0.x versions, allowing remote unauthenticated attackers to send tampered password reset emails. This issue arises from the application's use of less trusted sources, which could be exploited to manipulate email content related to password recovery.

Impact

Exploitation of this vulnerability could result in a remote unauthenticated attacker sending a fraudulent email to reset a user's password.

Remediation

Users are advised to update to Movable Type 8.4.3, 8.0.7, or 7 r.5509. Movable Type Premium users should upgrade to version 2.10 or 1.67. For more information, visit the Movable Type release notes.

Added: Aug 20, 2025, 5:20 AM

Updated: Aug 20, 2025, 5:20 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.6

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.6

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Movable Type Password Reset Email Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Six Apart Movable Type

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating