← back
CVE-2013-0209

CVE-2013-0209

EPSS 45.2%
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted parameters, as demonstrated by an eval injection attack against the core_drop_meta_for_table function, leading to execution of arbitrary Perl code.
Affected products
n/a · n/a
public PoCs found1
exploitdbwww.exploit-db.com/exploits/24321unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://openwall.com/lists/oss-security/2013/01/22/3http://www.movabletype.org/2013/01/movable_type_438_patch.htmlhttp://www.sec-1.com/blog/?p=402http://www.sec-1.com/blog/wp-content/uploads/2013/01/movabletype_upgrade_exec.rb_.txt