22 September 2020
Drupal version 8.9.6 is now available.
Upgrading to Drupal 8.9.6
Drupal 8.9.6 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Drupal updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Drupal install to test the 8.9.6 upgrade prior to applying it live. Get started managing your Drupal installations with Installatron
What's New in Drupal 8.9.6
- Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007 - The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
- Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008 - The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.
- Drupal core - Critical - Cross-site scripting - SA-CORE-2020-009 - Drupal 8 and 9 have a reflected cross-site scripting (XSS) vulnerability under certain circumstances. An attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability.
- Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-010 - Drupal core's built-in CKEditor image caption functionality is vulnerable to XSS.
- Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011 - A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.