The path [cf]\cfusion\wwwroot\cf_scripts\scripts\ajax\ckeditor detected as vulnerable.

Report · Nov 29, 2024

[cf]\cfusion\wwwroot\cf_scripts\scripts\ajax\ckeditor

Our internal vulnerabity scan refers to the above folder (ckeditor) in the ColdFusion 2021 installation path as vulnerable which is also mapped to the webiste as a virutual directory. How can we fix this issue and pass the vulnerability test.

Report · Nov 30, 2024

What is your ColdFusion 2021's update level? I ask because recent ColdFusion 2021 hotfixes, such as Update 13, contain hotfixes for CKEditor.

You should, in any case, update ColdFusion 2021 to the latest level, which is 17. Then see what your vulnerability scan says.

Report · Dec 02, 2024

Hi @brado70491931 As @BKBK mentioned, please check what update level your ColdFusion is on, if it is not the latest update, please update the server to the latest one which is Update 17. https://helpx.adobe.com/in/coldfusion/kb/coldfusion-2021-update-17.html

So far we have not yet received any issues from any scanner which is flagging this directory.

Thanks,
Priyank Shrivastava

Report · Dec 09, 2024

We are on update 15 of Coldfusion 2021.

Report · Dec 09, 2024

It says the version of CKEditor is old.

Report · Dec 09, 2024

@brado70491931 , ColdFusion uses version 4 of CKEditor. To see this, launch the following URL - or its equivalent - in a browser: http://127.0.0.1:8500/cf_scripts/scripts/ajax/ckeditor/samples/ .

Relatively speaking, version 4 isn't old, since the current version of the editor is CKEditor 5. What is important is to address any vulnerabilitiy that a CKEditor version may have. That is what Update 13 of ColdFusion 2021 did.

The path [cf]\cfusion\wwwroot\cf_scripts\scripts\ajax\ckeditor detected as vulnerable.

Photos