ckeditor_lts 7.x-1.25 | Drupal.org

This is a non-production site

- Drupal Core Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal CMS Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal AI Open limitless possibilities with Drupal AI
- Case Studies Powerful stories that show Drupal solutions in the real world
- Drupal for Government Drupal is the open-source CMS that enables digital transformation of government and increases citizen engagement
- Drupal for Higher Education See why 70% of the world's leading universities chose Drupal
- Drupal for Nonprofit See why Drupal is the open-source CMS choice for some of the world’s most influential nonprofits
- Drupal for eCommerce Natively integrate content and commerce
- Drupal for FinTech Secure and trustworthy FinTech infrastructure
- Drupal for Healthcare Drupal powers systems that are secure, patient-centric and engaging
- Drupal for Media & Publishing Create engaging multi-channel experiences to connect with your audiences - everywhere
- Download Drupal Download Drupal and the extensions you need
- Documentation Full knowledgebase including Drupal 7 resources
- Getting Started Guide to installing Drupal on a server
- Local Development Guide Guide to installing Drupal locally with Docker and DDEV
- Developer Resources Step-by-step guide for learning Drupal
- Drupal User Guide Learn to build with Drupal
- API Complete documentation of Drupal Core APIs
- Modules Extend your project's functionality
- Themes Change your project's look and feel
- Distributions Jumpstart your project with a pre-configured install
- Issues Queue Report issues and contribute improvements
- Security Advisories Stay on top of the latest security alerts and updates
- Find a Drupal Certified Partner Connect with the best Drupal agencies around the world
- Become an Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Find a Hosting Provider Find a hosting provider for your Drupal project
- Find a Migration Partner Get help with your migration to the latest version of Drupal
- Find Training Upskill your Drupal team
- Drupal Steward Ensure your website is protected with Drupal Steward
- About the Community Come for the code, stay for the community
- How to Contribute Get involved in growing and evolving Drupal
- DrupalCon DrupalCon unites experts from around the globe who create ambitious digital experiences. Network, learn, and be inspired
- Events Discover local events, meet-ups, and training
- Jobs / Careers Find opportunities to work in Drupal
- News & Blogs News and stories about Drupal
- Forum Got a question about Drupal? Find answers on the Drupal forums
- Slack Get support and communicate with the global Drupal community
- Newsletters Sign up for Drupal news and manage your subscriptions
- Drupal Swag Shop Get your Drupal branded merch!
- The Drupal Association Learn how we support Drupal's growth and innovation - and how you can help
- Become a Member Become a Ripplemaker and support the Drupal Association
- Become a Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Donate Make a donation to the nonprofit that supports Drupal
- Log in
- Create account
- Try Drupal CMS
- Try hosting

Posted by salmonek on February 7, 2024 at 12:34pm

Updated default CKEditor 4 library to the latest 4.24.0-lts. This version of the editor includes important security patches. From now on, all versions below 4.24.0-lts can no longer be considered as secure.

See CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009.

Security Updates:

Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection reported by Michal Frýba, ALEF NULA.
Issue summary: The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. See GHA for more details.

Cross-site scripting (XSS) vulnerability in AJAX sample reported by Rafael Pedrero, see INCIBE report.
Issue summary: The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. See GHA for more details.

Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature reported by Marcin Wyczechowski & Michał Majchrowicz, AFINE Team.
Issue summary: The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. See GHA for more details.

If you use the CKEditor LTS module for Drupal 7.x, upgrade to CKEditor 7.x-1.25

Important note: If you use the CKEditor CDN, it is highly recommended to update the CKEditor JavaScript library to the newest version. To do so, edit the "CKEditor Global profile" settings in admin panel, at /admin/config/content/ckeditor/editg.

The current version can be found at https://cdn.ckeditor.com/.

VCS Label

7.x-1.25

Core compatibility

Release type

Security update

Short description

Default library version update

Packaged Git sha1

c9f50fb8d6a99d8a7b6da6a0501e4da9c10c7b01

Release files

c35f94470c979443c6bb0c6fa51999bc

Release file SHA-1 hash

a7aff3d0a4a8a43627a05c9ac4c06537db75e46c

Release file SHA-256 hash

8c085ed5c29916aea9a599372066a274dee117262649411189a6def75bb82c76

43e600eb0c2201eee404700b14319813

Release file SHA-1 hash

24c8aad1521a0760122b5ab1743229551a8b215c

Release file SHA-256 hash

81398c4540c6869b1ffe338dfd83151154724a904d1c906a2007493a9623ec5e