Movable Type 7 r.5005 (7.9.1) / v6.8.5 released because the fix in r.5003 (7.8.2) / 6.8.3 was insufficient. This release fixes the critical security issue that found in XMLRPC API of Movable Type (CVE-2021-20837).
For those of you who use Movable Type 4.0 and later, Six Apart strongly recommends that you upgrade to the latest version or execute one of the following workarounds immediately.
Through the XMLRPC API of MT (mt-xmlrpc.cgi), OS command injection (RCE) could be performed. This issue may occur when mt-xmlrpc.cgi can be executed on the Internet. The affected versions are Movable Type 4.0 and later, included r.5003(7.8.2), r.5004(7.9.0), 6.8.3 and 6.8.4, recently released.
The one of following steps can be taken to avoid or reduce of the affect of the vulnerability.
RestrictedPSGIApp xmlrpc
in mt-config.cgi (6.2 and later) or ‘XMLRPCScript long random characters enough not to guess` (6.1 and earlier)Since Six Apart has already terminated the support of Movable Type 4.x, 5.x, and 6.0.x-6.3.x, we strongly recommend upgrading to the latest version of Movable Type 7 r.5005 or 6.8.5.
Please review the Movable Type release notes to see everything that was added and improved since the version you are currently using.
If you have an existing Movable Type 7 or 6.8 license, you can download the latest Movable Type from our download portal using your Six Apart ID.
To purchase a new license or an upgrade, please visit MovableType.com for more information, or feel free to contact us if you have any questions.
Movable Type 6.8 version is subject to LTS (long-term-support) and will have problem fixes and security fixes until 2022. However, In order to use Movable Type 6.5.x/6.6.x/6.7.x/6.8.x, “Pro Unlimited annual license” needs to be renewed every year.