• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CKEditor Prone to Multiple Vulnerabilities CF2018

Community Beginner ,
Oct 04, 2022 Oct 04, 2022

Copy link to clipboard

Copied

I am failing my security audits every month with a high severity 7.8 vulnerability in CKEDITOR. My Cyber Insurance carrier is demanding that something be done. How do we get Adobe to provide a security update for this vulnerable product or disable it so that I can pass an audit? 

Views

408

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Oct 05, 2022 Oct 05, 2022

That has indeed been a worry for some developers. See, for example, https://community.adobe.com/t5/coldfusion-discussions/manual-update-of-ckeditor-coldfusion-2021/td-p/12548807 

 

My answer to your question is: create a feature request. In it, appeal to Adobe to update CKEditor.

Votes

Translate

Translate
Community Expert ,
Oct 05, 2022 Oct 05, 2022

Copy link to clipboard

Copied

That has indeed been a worry for some developers. See, for example, https://community.adobe.com/t5/coldfusion-discussions/manual-update-of-ckeditor-coldfusion-2021/td-p... 

 

My answer to your question is: create a feature request. In it, appeal to Adobe to update CKEditor.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 12, 2022 Oct 12, 2022

Copy link to clipboard

Copied

LATEST

Thank you. I've got a renewal call coming up and I'll ask for action.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 06, 2022 Oct 06, 2022

Copy link to clipboard

Copied

@azoner2965 in addition to what BKBK offers, can you clarify first if it's that they are complaining specifically about it being the 4.10.0 version? They may, of course. That's what CF2021 (and even latest versions of 2018 and 2016) put in place, and that's indeed "behind".

 

But I ask because I have helped many people find out that what they have in place (that sec scans may complain about) are even older versions of things, such as may exist in a CFIDE folder or some variant of the cf "scripts" folder...which may be folders found somewhere on their drive other than the [cf]\cfusion\wwwroot\ folder, where CF defaults to putting such things since CF2016.

 

The thing is, prior to that, the CF installer ASKED people where to put the CFIDE and its underlying cfscripts folder. And people could have put them anywhere, and the CF installer created a virtual directory in your web server pointing to that. But starting in CF2016, the installer no longer asks and it ONLY ever puts those in its OWN directory (and indeed now puts the cf_scripts folder as a sibling to CFIDE).

 

Anyway, I often help people find that their web server STILL has a virtual directory that points to some variant of the cfscripts (or worse, entire CFIDE) folder, which may be QUITE dated--but the people responsible for managing the web server are unaware and just blithely let those old virtual directories remain. (Since CF no longer even ALLOWS access to the CF Admin via an external web server like IIS or Apache, some may not even REALIZE that such CFIDE virtual directories exist pointing to old versions, since it doesn't affect their use of the CF Admin.)

 

I realize all this is perhaps unrelated to your specific interest. You may be referring solely to that 4.10 version of ckeditor that CF still sadly comes with, even in later 2022. As BKBK noted, you'll want to create a bug report pressing Adobe to reconsider that.

 

Sure, we shouldn't have to: old versions should be updated with each release. Sometimes, there may be compatibility issues where loss of functionality is considered more worrisome than risks of running "old" versions. In the absence of outcry from the community, perhaps the team takes the path of least resistance. (When you consider that there are dozens of such libraries that CF bundles, that only exacerbates the potential for such trouble.)


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 12, 2022 Oct 12, 2022

Copy link to clipboard

Copied

Thanks Charlie. Luckily we built new servers when we installed CF2018.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation