Project: Drupal core
Date: 2020-September-16
Security risk: Moderately critical 14∕25
Vulnerability: Cross-site scripting
CVE IDs: CVE-2020-13666The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.
Install the latest version:
This maintenance release features 34 bug fixes, 5 enhancements, and 5 bug fixes for the block editor. These bugs affect WordPress version 5.5, so you’ll want to upgrade.
A new version of WordPress named “Eckstine” has been released today. Named “Eckstine” in honor of Billy Eckstine, this latest and greatest version of WordPress is available for download or update in your dashboard.
Posts and pages feel faster, thanks to lazy-loaded images.
Images give your story a lot of impact, but they can sometimes make your site seem slow.
In WordPress 5.5, images wait to load until they’re just about to scroll into view. The technical term is ‘lazy loading.’
Project: Apigee Edge
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 10∕25
Vulnerability: Access bypassThe Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.
Project: Modal Form
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Critical 16∕25
Vulnerability: Access bypassThe Modal form module is a toolset for quick start of using forms in modal windows.
Any form is available for view and submit when the modal_form module is installed. The only requirement is to know the form's fully-qualified class name.
Upgrade to modal_form-8.x-1.2.
Project: Easy Breadcrumb
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingThis module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.
The module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.
Project: Renderkit
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: Less critical 9∕25
Vulnerability: Access bypassThe renderkit module contains components which can transform the display of field items sent to it.
Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.
Project: YubiKey
Version: 7.x-2.x-dev
Date: 2020-June-10
Security risk: Less critical 9∕25
Vulnerability: Access bypassThis module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token.
Project: Open ReadSpeaker
Version: 8.x-1.x-dev
Date: 2020-June-10
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scriptingThis module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors.
The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
This security and maintenance release features 22 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.
These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade.
If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you.
Security Updates