[Security-news] Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040
security-news at drupal.org
security-news at drupal.org
Wed May 18 17:34:39 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-040
Project: Wingsuit - Storybook for UI Patterns [1]
Version: 8.x-2.x-dev8.x-1.x-dev
Date: 2022-May-18
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
The Wingsuit module enables site builders to build UI Patterns (and|or) Twig
Components with Storybook and use them without any mapping code in Drupal.
The module doesn't have an access check for the admin form allowing an
attacker to view and modify the Wingsuit configuration.
Solution:
Install the latest version:
* If you use the wingsuit_companion 8.x-1.x module for Drupal 8.x, upgrade
to Wingsuit 8.x-1.1 [3]
Reported By:
* Christian.wiedemann [4]
Fixed By:
* Christian.wiedemann [5]
Coordinated By:
* Greg Knaddison [6] of the Drupal Security Team
[1] https://www.drupal.org/project/wingsuit_companion
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/wingsuit_companion/releases/8.x-1.1
[4] https://www.drupal.org/user/861002
[5] https://www.drupal.org/user/861002
[6] https://www.drupal.org/user/36762
More information about the Security-news
mailing list