April 18th, 2018
image2 plugin (which Drupal 8 core also uses).
We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.
- If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
- The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
- Marek Lewandowski of the CKEditor team
- Wiktor Walc of the CKEditor team
- Wim Leers
- xjm Of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Daniel Wehner
- Hai-Nam Nguyen
- Matthew Grill