Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040 - Security-news

18 May 2022


      View online: https://www.drupal.org/sa-contrib-2022-040
Project: Wingsuit - Storybook for UI Patterns [1]
Version: 8.x-2.x-dev8.x-1.x-dev
Date: 2022-May-18
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description: 
The Wingsuit module enables site builders to build UI Patterns (and|or) Twig
Components with Storybook and use them without any mapping code in Drupal.
The module doesn't have an access check for the admin form allowing an
attacker to view and modify the Wingsuit configuration.
Solution: 
Install the latest version:
* If you use the wingsuit_companion 8.x-1.x module for Drupal 8.x, upgrade
     to Wingsuit 8.x-1.1 [3]
Reported By: 
   * Christian.wiedemann [4]
Fixed By: 
   * Christian.wiedemann [5]
Coordinated By: 
   * Greg Knaddison [6] of the Drupal Security Team
[1] https://www.drupal.org/project/wingsuit_companion
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/wingsuit_companion/releases/8.x-1.1
[4] https://www.drupal.org/user/861002
[5] https://www.drupal.org/user/861002
[6] https://www.drupal.org/user/36762