Drupal has released security updates to address vulnerabilities affecting Drupal 7, 8.8, 8.9, and 9.0. A remote attacker could exploit one of these vulnerabilities to take control of an affected system. The systems are vulnerable to cross site forgery and arbitrary PHP code execution.
Users and administrators to review Drupal Advisories SA-CORE-2020-004 and SA-CORE-2020-005 for more information and to apply the necessary updates.
Solution
Install the latest version:
- If you are using Drupal 7.x, upgrade to Drupal 7.72.
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
- If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
- If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.
