CiviCRM did not provide sufficient protection on the CKEditor configuration form, which could allow a malicious third-party to trick a CiviCRM administrator into changing the configuration.
Note: This form had another vulnerability in the same version. The risk from two overlapping vulnerabilities may be greater than the risk of each individually.
CiviCRM version 5.28.0 and earlier
CiviCRM version 5.28.1 and 5.27.5 ESR
Upgrade to the latest version of CiviCRM or use a different editor other than CKEdtior included with Core
Dennis Brinkrolf of RIPS Technologies and Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Seamus Lee and Coleman Watts for fixing the issue