CKEditor version 4 has detected security vulnerabilities in the 4.24.1., so the component has been updated.

The CKEditor.Reactive was updated to mitigate these vulnerabilities, to assure that your applications that use this component is protected, these are the mitigation steps that need to be assured:

Issues:

• Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection
  
  Mitigation (needs to be assured in development time):
  Don't allow config: fullPage: true
  Don't allow config: allowedContent = true or adding CDATA elements in Advanced Content Filter

• Cross-site scripting (XSS) vulnerability in AJAX sample
  
  Mitigation
  The CKEditor.Reactive component doesn't have the affected file: samples/old/ajax.html
  
  
• Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature
  
  Mitigation
  The CKEditor.Reactive component doesn't have the affected file: 
  samples/old/**/*.html
  plugins/[plugin name]/samples/**/*.html

Added more protection to the Upload API:

Site Properties:

OnlyAllowLoggedUsers: When is set to true, only authenticated users will be able to upload content, even if the page where component is deployed is anonymous.

VerifyAPIKeyOnUpload: When set to true, the upload requests will only be accepted if the header has the correct API Key

Both Site Properties have default to True, since they are related to security features. 

In case you need the component to act just like it was, change both Site Properties to False.

Timers:

ResetAPIKey:

Resets the APIKey, change the schedule to define what should be the interval to reset the API Key. Currently is defined to change once a day, at 00:00 UTC.

Updates

• Updated CKEditor version to 4.22.1
• Updated Upload handler to only accept mime types: image/jpeg; image/jpg; image/png; image/gif; image/bmp; video/mp4; video/mpeg
• Removed an CKEditor sample page that allowed XSS exploitation