Attackers could attack websites created with the CMS Drupal and in the worst case take over. Safe versions close the critical vulnerability (CVE-2019-6340). How an attack could proceed in detail is so far unclear. According to Drupal, there are some input processing errors in some fields. This could allow attackers to execute their own PHP code.
Pages are only vulnerable if the RESTful Web Services module is enabled on Drupal 8/7 and PATCH or POST requests are allowed. Sites with activated service modules like JSON: API are also vulnerable. The versions 8.5.11 and 8.6.10 are secured. In order to secure Drupal 7, only updates of some modules are necessary, the developers carry out in a warning message. As a workaround, web admins can also disable all service modules or prohibit PUT / PATCH / POST requests.