Yesterday the Drupal Security Team cut numerous CVE for Drupal 8 and 9.
While most of these look pretty minimal, I would strongly recommend doing this update ASAP. It went in very smoothly for me on the sites that I have done the updates on (for both Drupal 8 and 9).
As always, security updates should be prioritized. If possible, I recommend avoiding any feature deployments with the security update and just pushing the security update if possible.
Analysis
While 4/5 of the vulnerabilities are listed as “moderately” critical, the biggie is CVE-2020-13668 which could allow an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.
Related Content
A quick tutorial for getting around the dreaded Chrome security error page.
Post detailing SA-CORE-2021-002 for Drupal 9.1.7 / 9.0.12 / 8.9.14.
Release cadence is a critical part of any application’s health. Let’s talk about it!
Sometimes security vulnerabilities come from unexpected places. Like… HTML? Let’s talk about WYSIWYG and what silly things you can do to yourself.
A quick look at the Drupal 9.0.8 and 8.9.9 security releases from November 18th, 2020.
A quick look at the Drupal 9.0.6 and Drupal 8.9.6 security release.
A quick note about today’s Easy Breadcrumb security update.
A tutorial for how to use the Drupal plugin system to embed Javascript on a website securely.