Description
A flaw in the Wingsuit module has been uncovered. The module enables attackers to evade access controls because the module does not include an access check.
Summary
The Wingsuit module allows site builders to create UI Patterns and/or Twig Components in Storybook and utilize them in Drupal without having to do any mapping code. The admin form of the module does not include an access check, allowing an attacker to view and edit the Wingsuit configuration.
Recommendation
Install the latest version:
Upgrade to Wingsuit 8.x-1.1 if you”re using the wingsuit companion 8.x-1.x module for Drupal 8.x.
The Guyana National CIRT recommends that users and administrators review this update and apply it where necessary.
PDF Download: Wingsuit Storybook for UI Patterns-Critical-Access bypass-SA-CONTRIB-2022-040.pdf
References
Wingsuit – Storybook for UI Patterns – Critical – Access bypass – SA-CONTRIB-2022-040. (2022, May 18). Retrieved from Drupal.Org.
https://www.drupal.org/sa-contrib-2022-040
Wingsuit – Storybook for UI Patterns – Critical – Access bypass – SA-CONTRIB-2022- 040. (2022, May 18). Retrieved from AltaGrade