Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007

Project: ThunderDate: 2023-March-01Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: >=6.4.0 <6.4.6 || >=6.5.0 <6.5.3Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.
The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.Solution: Install the latest version:

  • If you use the thunder distribution for Drupal 9.x and have the thunder_gqls module enabled, upgrade to thunder 6.4.6 or thunder 6.5.3 respectively.

Reported By: 

Fixed By: 

Coordinated By: 

Path to article