21 July 2022
Drupal version 9.3.19 is now available (security release).
Upgrading to Drupal 9.3.19
Drupal 9.3.19 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Drupal updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Drupal install to test the 9.3.19 upgrade prior to applying it live. Get started managing your Drupal installations with Installatron
What's New in Drupal 9.3.19
- Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012 - In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.
- Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013 - Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
- Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014 - Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers.
- Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015 - The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.