Manual update of CKEditor Coldfusion 2021

Report · Nov 24, 2021

My internal security scans are still going nuts when scanning the Coldfusion server in regard to CKEditor. Is there a manual way to upgrade from the installed 4.10 to at least the 4.16 version to plug a bunch of holes? Or even better the current 4.17 version on the 4.X stack.

Report · Nov 28, 2021

Your worries are justified. Especially given the CKEditor vulnerability discovered some years ago. However, even if you could manually update CKEditor, I would discourage you from doing so.

CKEditor is integrated in ColdFusion. There might be dependencies that you're unaware of. If you tampered with the CKEditor installation, you might break more things than you fix.

ColdFusion is a service. So, where necessary, the service-provider is best placed to do the update. Make a ColdFusion 2021 Feature Request. After all, as the vulnerability proved, what you want is in Adobe's best interest.

Report · Nov 30, 2021

We have the same issue.

Report · Dec 09, 2021

We are seeing this as an issue on our 2018 installations, as well. Sorry to hear that manually moving up to a newer version isn't a practical solution. With CKEditor at v5, and this an issue in 2021, I don't hold out hope for a resolution for our environment.

Report · Dec 09, 2021

We aren't using the CKEditor upload feature. Is there a way to disable it?

Report · Oct 06, 2022

I realize this question (about removing fileupload capabilities from ckeditor) is now several months old, but if you're still interested (@altascene), are you aware first that CF prevents file uploads to CF from that by default? See the file settings.cfm (in [cf]\cfusion\wwwroot\cf_scripts\scripts\ajax\ckeditor\, which has this line:

<cfset settings.AllowUploads = "false">

That defaults to false for CF2021, 2018, and 2016 (CF11 had used fckeditor).

Or if you may mean you want to remove the upload elements from the UI (such as in cftextarea richtext="true"), I'll note first that I don't find it appearing in CF2021, but if you do see it, you should be able to remove it by editing the config.js (in [cf]\cfusion\wwwroot\cf_scripts\scripts\ajax\ckeditor\) and using its removeDialogTabs setting:

config.removeDialogTabs = 'link:upload;image:Upload';

which is discussed a bit more in the ckeditor config docs here. If that helps (or does not), let us know. If you've moved on and are no longer concerned about the matter, I hope it may help future readers (and I'm open to correction if I have anything wrong).

/Charlie (troubleshooter, carehart.org)