CVE Vulnerability

CVE-2022-38972

Cross-site scripting vulnerability in Movable Type plugin A-Form versions prior to 4.1.1 (for Movable Type 7 Series) and versions prior to 3.9.1 (for Movable Type 6 Series) allows a remote unauthenticated attacker to inject an arbitrary script.

6.1 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://jvn.jp/en/jp/JVN48120704/index.html Third Party Advisory
https://www.ark-web.jp/blog/archives/2022/09/a-series-411-391.html Vendor Advisory
https://www.ark-web.jp/movabletype/blog/2022/09/a-series-411-391.html Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:ark-web:a-form:*:*:*:*:*:movable_type_6_series:*:*
cpe:2.3:a:ark-web:a-form:*:*:*:*:*:movable_type_7_series:*:*
Information

Published : 2022-09-12 02:15

Updated : 2022-09-15 03:48

NVD link : CVE-2022-38972

Mitre link : CVE-2022-38972

Products Affected
No products.
CWE
CWE-79