We would like to announce the release of CKEditor 4.9.2 that contains a security fix for the Enhanced Image plugin, so an upgrade is highly recommended for all CKEditor 4.5.11+ installations that include it.
# Security issue fixed
CKEditor 4.9.2 fixes an XSS vulnerability in the Enhanced Image (
image2) plugin reported by Kyaw Min Thein. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the
<img> tag and specially crafted HTML.
Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin.
CKEditor versions affected: 4.5.11 and later.
We would like to thank the Drupal security team for bringing this matter to our attention and coordinating the fix and release process!