We are releasing Movable Type 6.0.1, 5.2.9, and 5.161 as mandatory security updates.  These updates resolve multiple security-related issues discovered in all previous versions of Movable Type 6 and Movable Type 5.

Details of the Security Updates

The Rich Text Editor in previous versions of Movable Type 6 and Movable Type 5 are susceptible to cross-site scripting (XSS) attacks.  A remote attacker can inject JavaScript into a page or entry in a Movable Type blog or website.  This JavaScript can be executed on the client browser when that page or entry is subsequently displayed in the Rich Text Editor.

These vulnerabilities were reported by a member of the Movable Type community, and were kept confidential until the release of the updated versions of Movable Type.

Affected Versions of Movable Type

• Movable Type Pro 6.0
• Movable Type Pro 5.2.x, 5.1x, 5.0x
• Movable Type Open Source (MTOS) 5.2.x, 5.1x, 5.0x
• Movable Type Advanced / Movable Type Enterprise 5.2.x, 5.1x, 5.0x

Steps Required to Close the Security Vulnerabilities

Please upgrade to the latest versions of Movable Type:

• Movable Type Pro 6.0.1
• Movable Type Pro 5.2.9 
• Movable Type Pro 5.161
• Movable Type Open Source 5.2.9
• Movable Type Open Source 5.161
• Movable Type Advanced / Movable Type Enterprise 5.2.9
• Movable Type Advanced / Movable Type Enterprise 5.161

Versions That Are Not Affected

• Movable Type Advanced 6
• Movable Type Enterprise 6

Movable Type Enterprise has not yet been released for Version 6.

Warnings

• Movable Type 5.0x has reached End of Life and is no longer supported.  For users that are running any version of 5.0, please upgrade to Movable Type 5.2.9, which is available at no additional charge to paid licensees of Movable Type 5 or users of Movable Type Open Source.
• Movable Type 4.38 will reach End of Life on December 31, 2013.  Users of Movable Type 4.38 and earlier versions are urged to immediately begin planning for an upgrade to Movable Type 5.2.9 or Movable Type 6.0.1 if you wish to continue to have access to security fixes.

Non-Security Issues Fixed in These Releases

110748: [CMS] [Listing] An error occurs when an administrator attempts to delete all members of a website or blog

Availability of Updated Versions of Movable Type

Movable Type Pro 6.01, Movable Type Pro, Advanced, and Enterprise 5.2.9 and 5.161 are available through the Movable Type Software Repository Server.  That server is located at https://mtuser.sixapart.jp/en/.

Movable Type Open Source 5.2.9 and 5.161 are available on request.  Instructions will be posted on November 18, 2013, or shortly thereafter.

 to