Drupal 8.9.6 / Drupal 9.0.6 Security Update

Yesterday the Drupal Security Team cut numerous CVE for Drupal 8 and 9.

While most of these look pretty minimal, I would strongly recommend doing this update ASAP. It went in very smoothly for me on the sites that I have done the updates on (for both Drupal 8 and 9).

As always, security updates should be prioritized. If possible, I recommend avoiding any feature deployments with the security update and just pushing the security update if possible.

Analysis

While 4/5 of the vulnerabilities are listed as “moderately” critical, the biggie is CVE-2020-13668 which could allow an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.

Related Content