DRUPAL-CONTRIB-2023-007

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/thunder/DRUPAL-CONTRIB-2023-007.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-007

Withdrawn

2026-03-18T18:00:07.403572Z

Published

2023-03-01T17:11:03Z

Modified

2026-03-18T18:00:07.403572Z

Summary

[none]

Details

Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.

The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.

References

https://www.drupal.org/sa-contrib-2023-007

Credits

- Steffen Schlaer
- - https://www.drupal.org/user/324945

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/thunder

Package

Name: drupal/thunder
Purl: pkg:composer/drupal/thunder

Affected ranges

Type

ECOSYSTEM

Events

Introduced

6.4.0

Fixed

6.4.6

Database specific

{
    "constraint": ">=6.4.0 <6.4.6"
}

Type

ECOSYSTEM

Events

Introduced

6.5.0

Fixed

6.5.3

Database specific

{
    "constraint": ">=6.5.0 <6.5.3"
}

Database specific

affected_versions

">=6.4.0 <6.4.6 || >=6.5.0 <6.5.3"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/thunder/DRUPAL-CONTRIB-2023-007.json"