Dear Adobe - please, please, PLEASE update the version of CKEditor in CF 2021 (and others) - so that I will STOP getting HAMMERED by my security team for it - https://tracker.adobe.com/#/view/CF-4220142

Probably not the response you want, but I would recommend never relying on any of the UI-based tags in CFML. If you like CKEditor, just implement it manually. Then you have total control of the version you are using. The reality is that Adobe is never likely to keep up with the rate of changes in third party libraries like this that will totally satisfy security concerns.

One thing I remember from CFSummit 2023 was that the next version of CF (2024 I guess) will have all of the 3rd party libraries updated to the latest secure versions, and there will be an emphasis put on keeping up-to-date going forward from there.

I don't use CKeditor for anything - but because it exists in the cfscripts/ajax path - the security scanner is catching it and glagging it as a MEDIUM risk

If you don't use it, then block access to the files.

And if they are trully not looking at backporting library updates for libraries that have HUGE security holes in them - I guess it is time to start looking into re-engineering our apps into Lucee or something else entirely.

When we were still on ACF, I just set up rules in our web server to block access to the client libraries, that way we couldn't be exploited. Just make sure you have rules in place to test that your access rules to block the resources stay in place.

And where did you set these access rules?

That's going to be based on your web server