Drupal has patched a Moderately Critical cross-site scripting (XSS) vulnerability in Drupal Core.
A remote attacker could exploit this vulnerability to compromise an affected system.
The Drupal update SA-CORE-2021-003 patches a vulnerability in the third-party CKEditor library. The library has an error in parsing HTML that could lead to an XSS attack.
The issue is fixed with CKEditor 4.16.1 and later and affects Drupal 8.9, 9.0 and 9.1.
Moreover, patches are not available for end-of-life versions of Drupal 8 prior to 8.9x.
There was no CVE assigned to this vulnerability at the time of advisory publication.