The Computer Emergency Response Team KZ-CERT reports that a critical vulnerability (CVE-2018-7600) has been identified in the Drupal content management system, which can be used to remotely execute code on the server by sending a specially crafted request without authentication. The problem is quite simple in operation and affects the branches Drupal 8, 7 and 6. All users are urged to immediately install updates Drupal 8.5.1, 7.58, 8.3.9, 8.4.6 or use a patch.
Internet resources running on versions 7.x and 8.x, you need to install the kernel update to the latest version, or, if for some reason it is impossible, install a patch on the kernel, links to the corresponding patches and versions are in the Drupal information sheet Security Team.
To owners of sites on the currently unsupported 6th version, you need to install a patch in the Drupal 6 Long Term Support project, you can download it here: www.drupal.org/project/d6lts/issues/2955130