CVE 2008-5846
Six Apart Movable Type (MT) before 4.23 allows remote authenticated users with create permission for posts to bypass intended access restrictions and publish posts via a "system-wide entry listing screen."
See the 
CVE page on Mitre.org
for more details.
