Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2023-March-01
Vulnerability:
Access bypass
Affected versions:
>=6.4.0 <6.4.6 || >=6.5.0 <6.5.3
Description:
Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.
The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.
Solution:
Install the latest version:
- If you use the thunder distribution for Drupal 9.x and have the thunder_gqls module enabled, upgrade to thunder 6.4.6 or thunder 6.5.3 respectively.
Reported By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
