Six Apart has released a mandatory upgrade for all users of Movable Type:

Movable Type 5.13, 5.07, and 4.38 were released as mandatory security updates. These updates resolve multiple vulnerabilities discovered in Movable Type 5.x and Movable Type 4.x. All users must upgrade to this latest release immediately.

The impact of the vulnerabilities

The previous versions of Movable Type have multiple vulnerabilities including cross-site scripting (XSS), cross-site request forgery (CSRF/XSRF), and OS Command Injection. A remote attacker could execute arbitrary code in a logged-in users' web browser. A remote attacker could read or modify the contents in the system, and could execute a shell command under certain circumstances.

Versions Affected

Movable Type Open Source 4.x
Movable Type Open Source 5.x
Movable Type 4.x ( with Professional Pack, Community Pack )
Movable Type 5.x ( with Professional Pack, Community Pack )
Movable Type Enterprise 4.x
Solution

Please upgrade to the latest versions of Movable Type 4 or Movable Type 5.

Movable Type Open Source 4.38
Movable Type Open Source 5.07
Movable Type Open Source 5.13
Movable Type 4.38( with Professional Pack, Community Pack)
Movable Type 5.07( with Professional Pack, Community Pack)
Movable Type 5.13( with Professional Pack, Community Pack)
Movable Type Enterprise 4.38
Movable Type Advanced 5.13

Movable Type 5.13 introduces new security features.

Account and IP lockout
Configurable password validation rule
Stronger password encryption

To Upgrade

Current customers can submit a ticket. Your upgrade will be scheduled according to your SLA. New customers should contact 601am for more information.