2020-09-16 Drupal security releases
On September 16th 2020, Drupal released a critical and several moderately security issues related to some of its supported major versions:
- The SA-CORE-2020-007 is a Cross-site Scripting (XSS) vulnerability. The Drupal AJAX API does not deactivate JSONP by default, which can lead to cross-site scripting.
- The SA-CORE-2020-008 is an access bypass vulnerability. The “Workspaces” module is not able to check access permissions sufficiently when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see the content before the site owner publishes it.
- The SA-CORE-2020-009 is a Cross-site Scripting vulnerability. An attacker could leverage the way that HTML is rendered on the affected forms, in order to exploit that vulnerability.
- The SA-CORE-2020-010 is a Cross-site Scripting vulnerability. Drupal core’s built-in CKEditor image caption functionality is vulnerable to an XSS attack.
- The SA-CORE-2020-011 is an information disclosure vulnerability. A vulnerability exists in the “File” module which allows an attacker to gain access to the file metadata of a permanent private file which is not previously accessible by guessing its ID.
For more information refer to the following Drupal Security Advisories:
How To Patch It
- If you are using Drupal 7.x, upgrade to Drupal 7.73.
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
- If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
- If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.
Affected platforms
All the Bitnami Drupal solutions and Drupal-based solutions such as CiviCRM and OpenAtrium are affected by this issue. At the moment of writing this note, Bitnami is releasing new versions for all the supported platforms: installers, virtual machines, cloud images, multi-tier solutions, containers, and Helm Charts.
-
Drupal:
- All containers and Helm charts have been released.
- Installers and virtual machines have been released.
- Cloud images and multi-tier solutions have been released. We continue working with the Marketplace teams to publish them.
-
CiviCRM:
- Installers and virtual machines have been released.
- Cloud images have been released. We continue working with the Marketplace teams to publish them.
-
OpenAtrium:
- Installers have been released.
- We continue working on releasing cloud images.
If you have any of these solutions deployed and they have not been updated yet to the latest version, you will need to follow the upgrade process described in our documentation.
- [Update 15.00 UTC September 21th] Drupal multi-tier solution has been released and it is available.
Do you have more questions? You can open an issue in this github repository. Our support team will be happy to help you there.