A flaw in the Wingsuit module has been uncovered. The module enables attackers to evade access controls because the module does not include an access check.
The Wingsuit module allows site builders to create UI Patterns and/or Twig Components in Storybook and utilize them in Drupal without having to do any mapping code. The admin form of the module does not include an access check, allowing an attacker to view and edit the Wingsuit configuration.
Install the latest version:
Upgrade to Wingsuit 8.x-1.1 if you”re using the wingsuit companion 8.x-1.x module for Drupal 8.x.
The Guyana National CIRT recommends that users and administrators review this update and apply it where necessary.
Wingsuit – Storybook for UI Patterns – Critical – Access bypass – SA-CONTRIB-2022-040. (2022, May 18). Retrieved from Drupal.Org.
Wingsuit – Storybook for UI Patterns – Critical – Access bypass – SA-CONTRIB-2022- 040. (2022, May 18). Retrieved from AltaGrade