Vulnerability stems from improper validation of tag tag in Enhanced Image plugin for CKEditor 4.5.11 and later versions. This could allow an attacker to execute arbitrary HTML and JavaScript code in the victim’s browser and gain access to sensitive information. The vulnerability stemmed from the fact that it was possible to execute XSS inside Ckeditor when using the image2 plugin (which Drupal 8 core also uses),” the Drupal security team said. The plugin comes pre-integrated in Drupal core to help site administrators and users create interactive content.
Source: https://thehackernews.com/2018/04/drupal-site-vulnerability.html