Drupal released security updates to fix the vulnerabilities in jQuery and Symfony libraries which are included in the Drupal core. A remote attacker may send specially crafted HTTP requests to exploit the vulnerabilities.
A successful attack could lead to remote code execution, cross site scripting (XSS) or security restriction bypass on an affected system.
The product vendor has released patches to address the issues.
This link will open in a new windowhttps://www.drupal.org/sa-core-2019-005
This link will open in a new windowhttps://www.drupal.org/sa-core-2019-006
This link will open in a new windowhttps://www.us-cert.gov/ncas/current-activity/2019/04/17/Drupal-Releases-Security-Updates
This link will open in a new windowhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909 (to CVE-2019-10911)