Maintainers at Drupal addressed the security bypass vulnerability by releasing a new version of the popular content management system, the version 8.5.6.6. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core. The flaw is due to the Symfonys support for legacy and risky HTTP headers. The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.”]
Source: https://securityaffairs.co/wordpress/75020/hacking/cve-2018-14773-symfony-flaw.html