CKEditor 4.9.2 with a security patch released
We would like to announce the release of CKEditor 4.9.2 that contains a security fix for the Enhanced Image plugin, so an upgrade is highly recommended for all CKEditor 4.5.11+ installations that include it.
# Security issue fixed
CKEditor 4.9.2 fixes an XSS vulnerability in the Enhanced Image (
image2) plugin reported by Kyaw Min Thein. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the
<img> tag and specially crafted HTML.
Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin.
CKEditor versions affected: 4.5.11 and later.
We would like to thank the Drupal security team for bringing this matter to our attention and coordinating the fix and release process!
# Release notes
Check out the release notes and contact us for more information.
Download CKEditor now and upgrade your installation or use your favorite package manager to install it!
CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.
# Reporting issues and contributing
Please report any new issues in the CKEditor 4 development repository and follow the instructions in the issue template. You can also contribute code and provide editor patches through pull requests.
Community support is available through Stack Overflow. Visit the resources page for additional options.