From drupal.org
Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.
The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.