CKEditor 4.x prior to 4.11.0 allows user-assisted XSS involving a source-mode paste.
ckeditor ckeditor