Drupal Security Updates - July 2022
Several security alerts have just been released for Drupal, several of them are critical, but they only affect you in very specific cases:
It only affects D9 and only if you use iframe in the media entities.
Arbitrary code execution in D9. It only affects you if your server uses Apache, this one is especially dangerous!!!
For D9. Access control to entity fields. It probably only affects you if you have custom/contrib modules that interact with forms.
It affects both D9 and D7. But only if you have "allow_insecure_derivatives" active in Drupal settings.
And I want to remind you that Drupal 8 is no longer supported, and that almost all Drupal 9 security alerts are enforced in Drupal 8.
Therefore, you should upgrade as soon as possible to the latest version of Drupal9. Especially if you use Apache instead of Nginx.