Vulnerability Details : CVE-2013-0209
Public exploit exists!
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.
Vulnerability category: Sql InjectionBypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2013-0209
Probability of exploitation activity in the next 30 days: 6.14%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2013-0209
-
Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution
Disclosure Date: 2013-01-07First seen: 2020-04-26exploit/multi/http/movabletype_upgrade_execThis module can be used to execute a payload on MoveableType (MT) that exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), that is used during installation and updating of the platform. The vulnerability arises due to the following propertie
CVSS scores for CVE-2013-0209
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2013-0209
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-0209
-
http://www.movabletype.org/2013/01/movable_type_438_patch.html
MovableType.org – News: Movable Type 4.38 patch to fix a known upgrading security issuePatch;Vendor Advisory
-
http://www.sec-1.com/blog/wp-content/uploads/2013/01/movabletype_upgrade_exec.rb_.txt
Exploit
-
http://www.sec-1.com/blog/?p=402
Moveable Type 4.x Unauthenticated Remote Command Execution - Sec-1 LabsSec-1 LabsExploit
-
http://openwall.com/lists/oss-security/2013/01/22/3
oss-security - Re: CVE request for Movable Type
Products affected by CVE-2013-0209
- cpe:2.3:a:sixapart:movable_type:4.25:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.23:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.21:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.24:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.26:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.35:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.36:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.261:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.27:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.22:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.291:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.292:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.28:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.29:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.29:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.28:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.292:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.291:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.361:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.36:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.28:*:enterprise:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.291:*:enterprise:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.29:*:enterprise:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.361:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.37:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.38:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.32:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.34:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.292:*:enterprise:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.31:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.33:*:*:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.38:*:open_source:*:*:*:*:*
- cpe:2.3:a:sixapart:movable_type:4.37:*:open_source:*:*:*:*:*