Movable Type Missing Authorization Vulnerability Allows Unintended Update Processing

A missing authorization vulnerability has been identified in Movable Type. This issue occurs when a user without administrator privileges logs into the application under certain conditions, potentially allowing the execution of unintended update processes. The vulnerability affects multiple versions of Movable Type, including the 9.1.0 and earlier (9.1 series), 9.0.6 and earlier (9.0 series), 8.8.2 and earlier (8.8 series), and 8.0.9 and earlier (8.0 series). Additionally, Movable Type Premium and its Advanced Edition are affected in the 9.1.0 and earlier (9.1 series) and 9.0.6 and earlier (9.0 series) versions. Movable Type Premium (MT8-based) versions 2.14 and earlier are also vulnerable. Furthermore, several end-of-support products are impacted, including Movable Type versions 5.1 to 5.18, 5.2, 6.0 through 6.8.8, 7 r.4207 to r.5510, and 8.4.0 to 8.4.4. Movable Type Premium 1.0 to 1.68 is also affected.

Impact

Exploitation of this vulnerability could allow users with insufficient privileges to perform unauthorized update actions, potentially leading to other security issues.

Remediation

Users can update to the latest version of Movable Type or Movable Type Premium. For Movable Type, versions 9.0.8, 8.8.4, and 8.0.11 are available. Movable Type Premium users can upgrade to versions 9.0.8 or 2.16. For those using an end-of-support product, no update is available, and it is recommended to upgrade to a supported version.