Drupal released security updates to fix vulnerabilities resided in the Drupal Core and its modules. An attacker could upload a malicious file to a vulnerable system or visit the leftover installation page to exploit the vulnerabilities.
Please note that no security updates will be provided for the versions of Drupal 8 prior to 8.7.x. Users should upgrade the Drupal to a supported branch or arrange migrating to other supported technology.
A successful attack could lead to information disclosure, denial of service, tampering and security feature bypass on an affected system.
The product vendor has released patches to address the issues.
https://www.drupal.org/sa-core-2019-009
https://www.drupal.org/sa-core-2019-010
https://www.drupal.org/sa-core-2019-011
https://www.drupal.org/sa-core-2019-012
https://www.hkcert.org/my_url/en/alert/19121903