CVE-2025-24841

Summary

Movable Type contains a stored cross-site scripting vulnerability in the HTML edit mode of MT Block Editor. It is exploitable when TinyMCE6 is used as a rich text editor and an arbitrary script may be executed on a logged-in user's web browser.

Affected Software

VendorProductVersion RangeStatus
Six Apart Ltd.Movable Type (8.4.x series)8.4.1 and earlieraffected
Six Apart Ltd.Movable Type (8.0.x series)8.0.5 and earlieraffected
Six Apart Ltd.Movable Type Advanced (8.4.x series)8.4.1 and earlieraffected
Six Apart Ltd.Movable Type Advanced (8.0.x series)8.0.5 and earlieraffected
Six Apart Ltd.Movable Type Premium (2.x series)2.06 and earlieraffected
Six Apart Ltd.Movable Type Premium (Advanced Edition) (2.x series)2.06 and earlieraffected
Six Apart Ltd.Movable Type Cloud Edition (8.x series)8.4.1 and earlieraffected
Six Apart Ltd.Movable Type Premium Cloud Edition (2.x series)2.06 and earlieraffected

Weaknesses

  • CWE-79: Cross-site scripting (XSS)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References