From our security test the following warnings are given:
- Use of CKEditor library version 4.14.0 which contains vulnerabilities.
- Use of JQuery library version 2.2.0 which contains vulnerabilities.

Request
Can there be an update of this forge component with the latest versions?

Impact

CKEditor:

• The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable

feature is not used, this alert can be considered as false positive.

• The attacker-supplied code can perform a wide variety of actions, the main problems associated with

successful XSS attacks are (impact of the attack will depend on the skills of the attacker in JavaScript):

– Account hijacking – An attacker can hijack the user’s session before the session cookie expires

and take actions with the privileges of the user who accessed the URL, such as issuing database

queries and viewing the results.

– Malicious script execution – Users can unknowingly execute JavaScript, VBScript, ActiveX, Hypertext

Markup Language (HTML), or even Flash content that has been inserted into a dynamically

generated page by an attacker.

– Worm propagation – With Ajax applications, XSS can propagate somewhat like a virus. The XSS

payload can autonomously inject itself into pages, and easily reinject the same host with more

XSS, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using

complex HTTP methods to propagate itself invisibly to the user.

– Information theft – Via redirection and fake sites, attackers can connect users to a malicious server

of the attacker’s choice and capture any information entered by the user.

– Denial of Service (DoS) – Often by utilizing malformed display requests on sites that contain a

XSS vulnerability, attackers can cause a DoS condition to occur by causing the host site to query

itself repeatedly.

– Browser Redirection – On certain types of sites that use frames, a user can be made to think that

he is in fact on the original site when he has been redirected to a malicious one, since the URL

in the browser’s address bar will remains the same. This is because the entire page isn’t being

redirected, just the frame in which the JavaScript is being executed.

– Manipulation of user settings – Attackers can change user settings for nefarious purposes.

jQuery:

• The attacker-supplied code can perform a wide variety of actions, such as stealing the victim’s session

token or login credentials, performing arbitrary actions on the victim’s behalf, and logging their

keystrokes.

Proof of concept: