Drupal recently fixed a critical data security coding flaw that could completely compromise the data and the integrity of websites it powers.
In technical terms, this was an access bypass vulnerability that put Drupal websites at risk of being hacked. Although the Drupal developing community decided not to give it the highest severity level based on their ranking system, this vulnerability is serious enough that they also released a patch for the CMS.
If you have not updated your installation already, it is recommended that you do as soon as possible. The users of Drupal 7 have nothing to fear, while Drupal 8 users should upgrade to the newly-released 8.3.1 or 8.2.8 version to fix the issue.
The good news is that not all Drupal websites can be compromised, only those with some very particular settings. In order to be vulnerable, a website needs to have RESTful Web Services enabled and also allow PATCH requests. Apart from that, the attacker must be able to either create a new account or access an already-existing one.
The developers have stated that although they do not usually provide security patches for unsupported minor releases, they believe this one is serious enough for them to make an exception. The 8.2.x release is meant for those who have not had the chance to update to 8.3.0, which they can now do safely.
Drupal is currently the third most popular CMS, right behind WordPress and Joomla, popular with universities, government agencies, and news agencies. It has a couple of high-profile users such as the White House, the BBC, and Oxford University.