- Advisory ID: PSA-2011-002
- Date: 2011-June-15
- Project: External libraries and plugins
Just like there's a need to dilligently follow announcements and update contributed modules downloaded from Drupal.org, there's also a need to follow announcements by vendors of third-party libraries or plugins that are required by such modules.
Drupal's update module has no functionality to alert you to these announcements. The Drupal security team will not release announcements about security issues in external libraries and plugins.
Exploit examples are circulating.
- CKEditor versions prior to version 3.5.4
- FCKEditor versions prior to version 22.214.171.124
Follow release announcements by the vendors of the external libraries and plugins you use.
In this specific case, remove the _samples directory from the (f)ckeditor installation or upgrade to a non-vulnerable version. Make sure to test compatibility between Drupal modules and new library versions before deploying.
The Drupal security was alerted to this issue by Henry Sudhof.
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.