View online: https://www.drupal.org/sa-contrib-2023-007
Project: Thunder [1] Date: 2023-March-01 Security risk: *Moderately critical* 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
Affected versions: >=6.4.0 <6.4.6 || >=6.5.0 <6.5.3 Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.
The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.
Solution: Install the latest version:
* If you use the thunder distribution for Drupal 9.x and have the thunder_gqls module enabled, upgrade to thunder 6.4.6 [3] or thunder 6.5.3 [4] respectively.
Reported By: * Steffen Schlaer [5]
Fixed By: * Volker Killesreiter [6] * Alexander Varwijk [7] * Steffen Schlaer [8] * Klaus Purer [9] * Daniel Bosen [10]
Coordinated By: * Greg Knaddison [11] of the Drupal Security Team
[1] https://www.drupal.org/project/thunder [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/thunder/releases/6.4.6 [4] https://www.drupal.org/project/thunder/releases/6.5.3 [5] https://www.drupal.org/user/324945 [6] https://www.drupal.org/user/57527 [7] https://www.drupal.org/user/1868952 [8] https://www.drupal.org/user/324945 [9] https://www.drupal.org/user/262198 [10] https://www.drupal.org/user/404865 [11] https://www.drupal.org/user/36762