CVE-2022-45122 is a cross-site scripting (XSS) vulnerability affecting multiple versions of Six Apart Ltd.'s Movable Type content management system (CMS), including Movable Type 7 r.5301 and earlier, Movable Type Advanced 7 r.5301 and earlier, Movable Type 6.8.7 and earlier, Movable Type Advanced 6.8.7 and earlier, Movable Type Premium 1.53 and earlier, and Movable Type Premium Advanced 1.53 and earlier. This vulnerability allows a remote, unauthenticated attacker to inject arbitrary scripts into the web application. The vulnerability is classified under CWE-79, which relates to improper neutralization of input leading to XSS. The CVSS v3.1 base score is 6.1 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The vulnerability arises because the affected versions do not properly sanitize or encode user-supplied input before rendering it in the web interface, enabling attackers to execute malicious JavaScript in the context of other users' browsers. This can lead to theft of session cookies, defacement, or redirection to malicious sites. Although no known exploits are reported in the wild, the ease of exploitation and the lack of authentication requirements make this a significant risk for websites using vulnerable versions of Movable Type. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component, potentially impacting user sessions and data confidentiality across the application.

For European organizations using Movable Type CMS, this vulnerability poses a risk to the confidentiality and integrity of web applications and their users. Attackers can exploit this XSS flaw to hijack user sessions, steal sensitive information such as authentication tokens, or perform actions on behalf of legitimate users, potentially leading to unauthorized data access or manipulation. This is particularly concerning for organizations handling personal data under GDPR, as exploitation could result in data breaches with regulatory and reputational consequences. Additionally, compromised websites could be used to distribute malware or conduct phishing campaigns targeting European users. The medium CVSS score reflects moderate risk; however, the lack of authentication requirement and network accessibility increase the likelihood of exploitation. The impact is amplified for organizations with high-traffic public-facing websites or those integrated with other critical systems. Given the scope change, the vulnerability could affect multiple components or user roles, increasing the attack surface. While no active exploits are currently known, the vulnerability's characteristics warrant prompt attention to prevent potential exploitation.

1. Immediate upgrade to the latest patched versions of Movable Type is the most effective mitigation. Since no patch links are provided, organizations should consult Six Apart Ltd.'s official resources or support channels for updates addressing CVE-2022-45122. 2. Implement Web Application Firewall (WAF) rules specifically designed to detect and block common XSS attack patterns targeting Movable Type endpoints. 3. Apply strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 4. Conduct thorough input validation and output encoding on all user-supplied data within the application, especially in custom plugins or templates, to prevent injection of malicious scripts. 5. Monitor web server and application logs for unusual or suspicious requests that may indicate attempted exploitation. 6. Educate web administrators and developers about secure coding practices related to input sanitization and XSS prevention. 7. If immediate patching is not feasible, consider temporarily disabling or restricting access to vulnerable components or features that accept user input until a fix is applied. 8. Regularly audit and test the web application for XSS vulnerabilities using automated scanners and manual penetration testing to ensure no residual issues remain.