JCE is a very popular content editor for Joomla! sites. A vulnerability has been reported in JCE 2.0 and JCE 1.5 that allows a logged in user - who has access to JCE (ie: they can created or edit articles) and any of the Image Manager, Image Manager Extended, File Manager, Media Manager or Template Manager plugins - to view and manipulate files and folders outside of the folder assigned to these plugins.
JCE 2.0.11 and JCE 220.127.116.11 add additional security checks to fix the vulnerability. Additional checks have also been added to some functions in the Image Manager Extended and Template Manager plugins.
- Upgrade JCE to the latest version.
- Umbraco CMS TemplateService remote code execution
- Invision Power Board version 3.3.4 unserialize PHP code execution
- Drupal Core 8.x.x Remote Code Execution (8.0.0 - 8.3.8)
- WordPress Plugin EZPZ One Click Backup Remote Code Execution (12.03.10)
- WordPress 2.6.2 Remote Code Execution Vulnerability (0.70 - 2.6.2)