Drupal 8.9.19, 9.1.13, and 9.2.6 released with several security fixes

Published On16 Sep 2021

SA-CORE-2021-006 through SA-CORE-2021-010 Drupal core maintainers have released three new Drupal core releases in Drupal 8.9.x, 9.1.x, and 9.2.x series that fix several security vulnerabilities.

Drupal, the popular open-source content management system software written in PHP, has four version branches that receive security updates: 7.x, 8.9.x, 9.1, and 9.2. Among these versions, 9.2 is the active and recommended branch for new projects, however, all four branches are covered by Drupal security coverage.

All Drupal 8.x versions prior to Drupal 8.9.x and Drupal 9.x versions prior to Drupal 9.1.x are not covered by Drupal security coverage, and no longer receive security updates, and may be vulnerable.

Released Security Updates

Drupal 7.x versions are not affected by this security update.

Fixed Vulnerabilities

This security update fixes several vulnerabilities in the bundled JSON:API, Media, and QuickEdit modules.

  • Media module: Fixes a cross-site request forgery vulnerability that a user with permission to embed media could inject HTML. CVE ID: CVE-2020-13673 / Drupal.org: SA-CORE-2021-006

  • QuickEdit module: Fixes a cross-site request forgery vulnerability where the module did not properly validate its URI endpoints. CVE ID: CVE-2020-13674 / Drupal.org: SA-CORE-2021-007

  • JSON:API module: When used along with the REST/File module, this security fixes a prior access bypass vulnerability that might allow an attacker to allow upload files bypassing the validation rules. CVE ID: CVE-2020-13675 / Drupal.org: SA-CORE-2021-008

  • QuickEdit module: Fixes an access bypass vulnerability that the access to fields were not validated in certain circumstances. CVE ID: CVE-2020-13676 / Drupal.org: SA-CORE-2021-009.

  • JSON:API module: Fixes an access bypass vulnerability that the module also did not properly check the field access in certain circumstances. CVE ID: CVE-2020-13677 / Drupal.org: SA-CORE-2021-010.

Mitigation Factors

Only sites that use the modules mentioned above are affected. Note that QuickEdit module is enabled by default with the Drupal standard installation profile. Disabling and uninstalling the modules can prevent the security vulnerability if the sites cannot be updated immediately.

In other news on PHP.Watch

All NewsFeed
PHP 8.4 Feature-freeze, first Release Candidate released

PHP 8.4 Feature-freeze, first Release Candidate released

The first release candidate of the upcoming PHP 8.4 is now out. PHP8.4-RC1 previews all new features, changes, and deprecations available on PHP 8.4, and can be used to test the compatibility of applications with PHP 8.4.
PHP Release Cycle Update

PHP Release Cycle Update

The PHP release cycle changes to extend the active support for all current and future PHP versions from one year to two years, and to align the support timelines to the end of the calendar year.
PHP 8.3 Released!

PHP 8.3 Released!

PHP 8.3 was released today, containing over 1,000 commits from over 100 contributors.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.

Support PHP.Watch — If you find the articles, version information, Codex, and other PHP.Watch contributions useful, consider supporting through GitHub Sponsors. Your sponsorship helps dedicate more time to creating valuable content and improving the PHP community. Together, we can keep the momentum going — thank you for your support!

Thanks to the highest tier sponsor: @TomasVotruba for your generous support to keep PHP.Watch moving 💜