Drupal has released a security advisory to address multiple vulnerabilities in the CKEditor library for WYSIWYG editing. A remote attacker may upload a maliciously crafted file to a vulnerable system to exploit the vulnerabilities.
Please note that Drupal 9 prior to version 9.2.x have reached End-Of-Life (EOL). No security updates will be provided after that. Users should arrange upgrading the Drupal to supported versions or migrating to other supported technology.
Successful exploitation could lead to cross site scripting on an affected system.
The product vendor has released patches to address the issues.
System administrators should review if other distributions of the CKEditor plugin or the Webform module were installed and ensure the CKEditor modules were also up-to-date after updating Drupal core and libraries for any affected contributed modules:
https://www.drupal.org/docs/contributed-modules/webform/webform-libraries