CVE Request: cross-site scripting vulnerabilities in movable type 6.0.1, 5.2.9, and 5.161

[Salvatore Bonaccorso <carnil () debian org>]

Hi

A movable type update to 6.0.1, 5.29 and 5.161 fixes cross-site
scripting attacks, from the announcement:

> The Rich Text Editor in previous versions of Movable Type 6 and
> Movable Type 5 are susceptible to cross-site scripting (XSS) attacks.
> A remote attacker can inject JavaScript into a page or entry in a
> Movable Type blog or website. This JavaScript can be executed on the
> client browser when that page or entry is subsequently displayed in
> the Rich Text Editor.
>
> These vulnerabilities were reported by a member of the Movable Type
> community, and were kept confidential until the release of the updated
> versions of Movable Type.

 [0]  http://movabletype.org/news/2013/11/movable_type_601_529_and_5161_released_to_close_security_vul.html

Looking trough the git repository at [1], there is at least [2] which
seems to indicate the fix for the 5.2.x branch (I cannot say tough if
this the complete one).

 [1] https://github.com/movabletype/movabletype
 [2] https://github.com/movabletype/movabletype/commit/c85903b3ee23ea2b4ddf981a75815c737f6f6040

Debian Bugtracker reference is at [3].

 [3] http://bugs.debian.org/734304

Is there enough information to identify the vulnerability and to get a
CVE assigned for this issue?

Regards,
Salvatore