We would like to announce the slightly premature release of CKEditor 4.4.3 which, among a variety of fixes and new features, contains a security fix to one of the official plugins. An upgrade is highly recommended!
See the release blog post for more information.
Security Patch: Only Preview plugin affected/patched?
Can this security issue be exploited even if we don't use the preview plugin? The Preview plugin is built into the CKEditor 4.3.5 we use, but the Preview button is removed in the configuration. If yes, can the issue be exploited if we remove the Preview pluglin from the build we use?
We'll do a version upgrade for some future relase, but want to avoid the testing phase now ...
Btw.: Is the fixed security issue the same as now reported as http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5191 ?
The issue cannot be exploited
The issue cannot be exploited if you remove the plugins/preview directory. The problematic file was plugins/preview/preview.html. Disabling plugin (removing button or by config.removePlugins) is not enough.
Yes, this is the fixed issue.
Piotrek (Reinmar) Koszuliński
CKEditor JavaScript Developer
--
CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
CK Editor
Can you please let me know, it will work while removing the preview plugins ?
If you want to continue using
If you want to continue using the Preview feature, you need to upgrade to the latest CKEditor version.
If you do not need to use the Preview feature and cannot upgrade, you can remove the plugins/preview directory as Reinmar wrote above.
Documentation Manager, CKSource
See CKEditor 5 docs, CKEditor 4 docs, CKEditor 3 docs, CKFinder 3 docs, CKFinder 2 docs for help.
Visit the new CKEditor SDK for samples showcasing editor features to try out and download!