Yesterday the Drupal Security Team cut numerous CVE for Drupal 8 and 9.
While most of these look pretty minimal, I would strongly recommend doing this update ASAP. It went in very smoothly for me on the sites that I have done the updates on (for both Drupal 8 and 9).
As always, security updates should be prioritized. If possible, I recommend avoiding any feature deployments with the security update and just pushing the security update if possible.
Analysis
While 4/5 of the vulnerabilities are listed as “moderately” critical, the biggie is CVE-2020-13668 which could allow an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.
Related Content
Featured
A tutorial for how to use the Drupal plugin system to embed Javascript on a website securely.