Six Apart Movable Type (MT) before 4.23 allows remote authenticated users with create permission for posts to bypass intended access restrictions and publish posts via a "system-wide entry listing screen."

More... (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5846)