Tag
A missing authorization check in the GraphQL Address element resolver of Craft CMS Pro allows a GraphQL API token scoped to a low-privilege user group to read all addresses in the system, including those belonging to users in groups the token is not authorized to access, exposing personally identifiable information (PII).