We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.
If you are using Drupal 8, update to Drupal 8.5.2
or Drupal 8.4.7
The Drupal 7.x CKEditor contributed module
is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG
Original author: Drupal Security Team