[IT-SecNots] [Security-news] Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-040

Project: Wingsuit - Storybook for UI Patterns [1]
Version: 8.x-2.x-dev8.x-1.x-dev
Date: 2022-May-18
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
The Wingsuit module enables site builders to build UI Patterns (and|or) Twig
Components with Storybook and use them without any mapping code in Drupal.

The module doesn't have an access check for the admin form allowing an
attacker to view and modify the Wingsuit configuration.

Solution: 
Install the latest version:

  * If you use the wingsuit_companion 8.x-1.x module for Drupal 8.x, upgrade
    to Wingsuit 8.x-1.1 [3]

Reported By: 
  * Christian.wiedemann [4]

Fixed By: 
  * Christian.wiedemann [5]

Coordinated By: 
  * Greg Knaddison [6] of the Drupal Security Team


[1] https://www.drupal.org/project/wingsuit_companion
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/wingsuit_companion/releases/8.x-1.1
[4] https://www.drupal.org/user/861002
[5] https://www.drupal.org/user/861002
[6] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news