Security releases for Drupal (Drupal 8 version 8.3.4 and Drupal 7 version 7.56) which contain fixes for security vulnerabilities are now available and it's advisable that any websites using earlier Drupal versions are upgraded as soon as possible to keep them secure and prevent hacks and unauthorised access, including information disclosure.
Files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This can result in files uploaded to your website being publicly accessible.
The Drupal security team has received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system. This could result in your website being used to host images and malicious software that would be damaging to not only visitor computers but also to business reputation and search engine ranking.
We can upgrade your Drupal website for you with our cost effective Drupal upgrade service. Contact us for more details or if you're an O'Brien Media website hosting customer you can view your Drupal version information and request an upgrade via Client Connect, just log in and access the "My products" section for more information.