- News
- Details
JCE 2.0.13 has been released with a number of bug fixes including improvements in the JCE 1.5 to JCE 2.0 update process, fixes for the Styles, Tables and Paste plugins, support for empty parameter values - in some situations you may want to set a default parameter value to an empty value eg: Border Width - and an update to TinyMCE 3.4.5
A full changelog is available
- Details
This is a maintenance update to fix errors in the Tables plugin introduced in 2.0.11 and a few other minor issues.
- Details
JCE 2.0.11 and JCE 1.5.7.14 have been released. Both updates include important security fixes and all users are urged to upgrade as soon as possible.
Vulnerability Reported
A vulnerability has been reported in JCE 2.0 and JCE 1.5 that allows a logged in user - who has access to JCE (ie: they can created or edit articles) and any of the Image Manager, Image Manager Extended, File Manager, Media Manager or Template Manager plugins - to view and manipulate files and folders outside of the folder assigned to these plugins.
JCE 2.0.11 and JCE 1.5.7.14 add additional security checks to fix the vulnerability. Additional checks have also been added to some functions in the Image Manager Extended and Template Manager plugins.
Recommendations for securing JCE
JCE 2.0 and JCE 1.5 include a system that allows you to control who has access to JCE plugins (such as the Image Manager) and the features of these plugins (such as delete, rename etc.). Despite the additional security checks added in this update, it is advisable to take advantage of the Profile / Group system to restrict the use of JCE to trusted users and usergroups only, and not allow arbitrary users access to filesystem plugins like the Image Manager. This can be done quickly and easily with the following steps:
- Edit each Profile (or Group in JCE 1.5) and remove any usergroups from the User Group list in the Setup tab that don't need to access the features of that profile. You can create a new Profile for some usergroups (such as Authors) with a limited set of features for the editor.
- For each of the plugins mentioned above (Image Manager, Image Manager Extended, File Manager, Media Manager, Template Manager), disable any of the functions in the Plugin Parameters section that the users and usergroups assigned to the Profile shouldn't have, eg: you might set Folder Delete and File Delete for the Image Manager to No which will prevent the users in the Profile from being able to delete folders and files.
Bugs Fixed
In addition to the security fixes added, JCE 2.0.11 includes a number of bug fixes - see the Changelog for full details - as well as one new feature added to the Table button allowing you to quickly create a simple tables by selecting a grid from a dropdown menu:
Plugin Updates
The following plugins have been updated :
JCE 2.0
JCE 1.5
Updating JCE
JCE 2.0 and its plugins can be updated quickly and easily using the Updates dialog launched from the JCE Control Panel or JCE Installer page. JCE 2.0 and JCE 1.5 can be updated by installing the new version over the old using the Joomla! Installer - see JCE Installation
- Details
This is a maintenance update that fixes a few bugs (see Changelog) as well as moving all assets (javsacript and css) shared by the editor and administration component to the front-end component to deal with issues caused when the site administration area is password protected using htaccess.
- Details
This is a maintenance update that fixes errors in the Preferences dialog, the Updates dialog and in image selection when the image contains a parent link.
In addition, 3rd party language packs are now checked for a 2.0 version number before being loaded to prevent issues with legacy language packs after upgrading from JCE 1.5 to JCE 2.0.
A full changelog is available
Page 51 of 77