CVE-2025-25054

Summary

Movable Type contains a reflected cross-site scripting vulnerability in the user information edit page. When Multi-Factor authentication plugin is enabled and a user accesses a crafted page while logged in to the affected product, an arbitrary script may be executed on the web browser of the user.

Affected Software

VendorProductVersion RangeStatus
Six Apart Ltd.Movable Type (8.4.x series)8.4.1 and earlieraffected
Six Apart Ltd.Movable Type (8.0.x series)8.0.5 and earlieraffected
Six Apart Ltd.Movable Type Advanced (8.4.x series)8.4.1 and earlieraffected
Six Apart Ltd.Movable Type Advanced (8.0.x series)8.0.5 and earlieraffected
Six Apart Ltd.Movable Type Premium (2.x series)2.06 and earlieraffected
Six Apart Ltd.Movable Type Premium (Advanced Edition) (2.x series)2.06 and earlieraffected
Six Apart Ltd.Movable Type Cloud Edition (8.x series)8.4.1 and earlieraffected
Six Apart Ltd.Movable Type Premium Cloud Edition (2.x series)2.06 and earlieraffected

Weaknesses

  • CWE-79: Cross-site scripting (XSS)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References