JCE 2.5.3 has been released. This is an important security update.

    Security Update

    A vulnerability has been reported in the JCE upload routine that could allow a privileged user (in this case one allowed to use the editor and upload files), using the right tools, to upload a php file to the site by intercepting and altering the upload request data. The upload destination is limited to that set in the editor profile ("images" by default).

    This vulnerability was introduced as the result of a mistake in the code in JCE 2.5.0 and affects versions 2.5.0, 2.5.1 and 2.5.2. Versions prior to this do not appear to be affected, but all users are requested to upgrade to 2.5.3

    Thank you to Fábio Pires (https://twitter.com/fabiopirespt), Vitor Oliveira (https://twitter.com/r0t1v) and Filipe Reis (https://twitter.com/fjreis) from INTEGRITY Portugal for reporting the vulnerability and verifying the fix.

    Upgrading to JCE 2.5.3

    Upgrading to JCE 2.5.3 is quick and easy. If you are using Joomla 3, you will be notified of an available update after logging into the Administration.

    Updates Available

    Click on the View Updates button. A list of available updates will be displayed. Select JCE Editor, then click the Update button.

    Update

    If you are using Joomla 1.5 or Joomla 2.5, you can upgrade using the Updates dialog in the JCE Control Panel.

    Click on the Updates Available button.

    jce update1

    In the dialog shown, select JCE Editor

    JCE Editor

    Click on the Install Selected Updates button

    Install Selected Updates

    Alternatively, the upgrade can be made by downloading the 2.5.3 package and installing it using the Joomla Extension Manager.

    Bug Fixes

    A full list of fixes are listed in the Changelog

    Download and Installation

    Instructions for installing and updating JCE for each Joomla version are available here

    JCE can also be updated from previous versions using the JCE Updater in Joomla! 1.5 and 2.5 or using the Joomla! Update Manager in Joomla! 2.5 and 3