Drupal released a security update to fix a vulnerability in the Symfony library included in Drupal. A remote attacker may send specially crafted HTTP requests to exploit the vulnerability.
The support of Drupal prior to version 8.5.x is ceased and no security updates will be provided. Users should arrange migrating to the latest version of Drupal or other supported technology.
A successful attack could lead to security restriction bypass on an affected system.
The product vendor has released patches to address the issues.
https://www.drupal.org/SA-CORE-2018-005
https://www.hkcert.org/my_url/en/alert/18080701
https://www.us-cert.gov/ncas/current-activity/2018/08/02/Drupal-Releases-Security-Update
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14773