Drupal team released security updates to fix several vulnerabilities, including the critical access bypass flaw CVE-2017-6922 exploited in spam campaigns. The flaw was fixed with the release of Drupal versions 7.56 and 8.3.4.4. The site could be used by an attacker to host content that the legitimate site maintainers would not want made publicly available through their site. The new releases will not prevent such kind of abuses, says the security advisory. The bugs were discovered in October 2016 and have been exploited in the wild.”]
Source: http://securityaffairs.co/wordpress/60335/hacking/drupal-cve-2017-6922.html