Drupal eliminates the vulnerabilities
The developers of Drupal introduced versions 7.56 and 8.3.4, in which several vulnerabilities were eliminated, including bugs used by spammers.
One of the main corrected problems was the vulnerability of CVE-2017-6922. The bug was that the files downloaded by an anonymous user were available not only to him, but to all anonymous users in general. Of course, only those sites that allowed anonymous downloads of files were affected.
Since October 2016, Drupal developers have known that this exploit is exploited by intruders. Then the company warned that criminals use incorrectly configured Drupal settings for storing malicious files and redirect users from search engines to these files. A fresh update of Drupal 7 and 8 protects websites from similar attacks.
Drupal 8.3.4 also fixed the critical vulnerability CVE-2017-6920, related to how the PECL YAML parser processes unsafe objects. The operation of the bag allowed remote execution of arbitrary code. One more less critical bug was fixed, CVE-2017-6921, associated with incorrect validation of fields.
If your want to check your drupal website for vulnerability you can use free extensions.