Drupal CMS Vulnerability and Security Updates, issued June 01, 2021
Drupal has released security updates to address a vulnerability affecting Drupal CMS 8.9, 9.0, and 9.1 versions. Successful exploitation of these vulnerabilities could allow for remote code execution or an attacker could take control of an unpatched system.
Drupal core uses the third-party CKEditor library. The library prior to CKEditor 4.16.1 has an error in parsing HTML that could lead to a Cross Site Scripting (XSS) attack. However, CKEditor 4.16.1, and later, include the security fix.
The National Cyber Security Authority recommends all Drupal users and administrators to install the latest version as follows:
- If you are using Drupal 9.1, update to Drupal 9.1.9.
- If you are using Drupal 9.0, update to Drupal 9.0.14.
- If you are using Drupal 8.9, update to Drupal 8.9.16.
Versions of Drupal 7 and 8 prior to 8.9.x are end-of-life and no longer receive security updates and patches.
- Where Drupal versions in use are at end-of-life, you are advised to install immediately Drupal 9.1.9, which is the latest stable release of Drupal core.
System administrators should continually check for software versions and update as new versions become available.
For further information and support, please contact the National Cyber Security Authority (NCSA) by email to email@example.com or call us on 9009
Drupal Core - Security Advisories