JCE 2.5.3 has been released. This is an important security update.
A vulnerability has been reported in the JCE upload routine that could allow a privileged user (in this case one allowed to use the editor and upload files), using the right tools, to upload a php file to the site by intercepting and altering the upload request data. The upload destination is limited to that set in the editor profile ("images" by default).
This vulnerability was introduced as the result of a mistake in the code in JCE 2.5.0 and affects versions 2.5.0, 2.5.1 and 2.5.2. Versions prior to this do not appear to be affected, but all users are requested to upgrade to 2.5.3
Thank you to Fábio Pires (https://twitter.com/fabiopirespt), Vitor Oliveira (https://twitter.com/r0t1v) and Filipe Reis (https://twitter.com/fjreis) from INTEGRITY Portugal for reporting the vulnerability and verifying the fix.
Upgrading to JCE 2.5.3
Upgrading to JCE 2.5.3 is quick and easy. If you are using Joomla 3, you will be notified of an available update after logging into the Administration.
Click on the View Updates button. A list of available updates will be displayed. Select JCE Editor, then click the Update button.
If you are using Joomla 1.5 or Joomla 2.5, you can upgrade using the Updates dialog in the JCE Control Panel.
Click on the Updates Available button.
In the dialog shown, select JCE Editor
Click on the Install Selected Updates button
Alternatively, the upgrade can be made by downloading the 2.5.3 package and installing it using the Joomla Extension Manager.
A full list of fixes are listed in the Changelog
Download and Installation
Instructions for installing and updating JCE for each Joomla version are available here
JCE can also be updated from previous versions using the JCE Updater in Joomla! 1.5 and 2.5 or using the Joomla! Update Manager in Joomla! 2.5 and 3