[pfg]

Small addition re: Coder: It's not necessary for the module to be enabled in order to be exploitable, it just has to be somewhere in your document root[1]. If you share the same code base between dev and production, you might be vulnerable even if it's disabled in production.

[1]: https://twitter.com/drupalsecurity/status/753263548458004480

[ElijahLynn]

Thanks for posting that very important point about the Coder module. We were mitigated by the fact we used Composer to install an internal distribution and Coder was in our /vendor/drupal/coder directory, not inside docroot.