"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007

Wed, 2023-03-01 09:11 — Anonymous (not verified)

Project: ThunderDate: 2023-March-01Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: >=6.4.0 <6.4.6 || >=6.5.0 <6.5.3Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.
The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.Solution: Install the latest version:

If you use the thunder distribution for Drupal 9.x and have the thunder_gqls module enabled, upgrade to thunder 6.4.6 or thunder 6.5.3 respectively.

Reported By:

Steffen Schlaer

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-007

Search form

Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007