Drupal has released a security update to fix the vulnerability in the third-party CKEditor library. The CKEditor library is a built-in component of Drupal 8 core. Administrators of Drupal 7 may also choose to install a CKEditor library as an additional module. A remote attacker may exploit the vulnerability in the CKEditor on a Drupal site to perform cross-site scripting (XSS) attacks against other Drupal users.
Please note that Drupal 8 prior to version 8.7.x has reached its End-Of-Life (EOL) in December 2019. No security updates will be provided after that. Users should arrange upgrading the Drupal to supported versions or migrating to other supported technology.
A successful attack could lead to arbitrary code execution. Depending on the privileges of the victim possesses, an attacker may gain unauthorised access to an affected system.
The product vendor has released patches for Drupal 8.x to address the issues.
Administrators who have installed the third-party CKEditor library should update the library to version 4.14 or higher.
https://www.drupal.org/sa-core-2020-001
https://www.drupal.org/core/release-cycle-overview