CKEditor Prone to Multiple Vulnerabilities CF2018

Question

I am failing my security audits every month with a high severity 7.8 vulnerability in CKEDITOR. My Cyber Insurance carrier is demanding that something be done. How do we get Adobe to provide a security update for this vulnerable product or disable it so that I can pass an audit?

BKBK · Accepted Answer

That has indeed been a worry for some developers. See, for example, https://community.adobe.com/t5/coldfusion-discussions/manual-update-of-ckeditor-coldfusion-2021/td-p/12548807

My answer to your question is: create a feature request. In it, appeal to Adobe to update CKEditor.

Charlie Arehart · Answer

@azoner2965 in addition to what BKBK offers, can you clarify first if it's that they are complaining specifically about it being the 4.10.0 version? They may, of course. That's what CF2021 (and even latest versions of 2018 and 2016) put in place, and that's indeed "behind".

But I ask because I have helped many people find out that what they have in place (that sec scans may complain about) are even older versions of things, such as may exist in a CFIDE folder or some variant of the cf "scripts" folder...which may be folders found somewhere on their drive other than the [cf]\cfusion\wwwroot\ folder, where CF defaults to putting such things since CF2016.

The thing is, prior to that, the CF installer ASKED people where to put the CFIDE and its underlying cfscripts folder. And people could have put them anywhere, and the CF installer created a virtual directory in your web server pointing to that. But starting in CF2016, the installer no longer asks and it ONLY ever puts those in its OWN directory (and indeed now puts the cf_scripts folder as a sibling to CFIDE).

Anyway, I often help people find that their web server STILL has a virtual directory that points to some variant of the cfscripts (or worse, entire CFIDE) folder, which may be QUITE dated--but the people responsible for managing the web server are unaware and just blithely let those old virtual directories remain. (Since CF no longer even ALLOWS access to the CF Admin via an external web server like IIS or Apache, some may not even REALIZE that such CFIDE virtual directories exist pointing to old versions, since it doesn't affect their use of the CF Admin.)

I realize all this is perhaps unrelated to your specific interest. You may be referring solely to that 4.10 version of ckeditor that CF still sadly comes with, even in later 2022. As BKBK noted, you'll want to create a bug report pressing Adobe to reconsider that.

Sure, we shouldn't have to: old versions should be updated with each release. Sometimes, there may be compatibility issues where loss of functionality is considered more worrisome than risks of running "old" versions. In the absence of outcry from the community, perhaps the team takes the path of least resistance. (When you consider that there are dozens of such libraries that CF bundles, that only exacerbates the potential for such trouble.)

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded