The module adds support for the mirador viewer in WissKI and enables annotations on images via the mirador viewer.
It does not sufficiently check the submitted parameters via a route and writes these to the session object without further checks, which can lead to Access Bypass.
This vulnerability is mitigated by the fact that it is specific to the wisski_mirador submodule.
Install the latest version:
- If you use the WissKI module version 8.x-4.1, upgrade to WissKI 8.x-4.2
- Drew Webber (mcdruid) of the Drupal Security Team
- cilefen (cilefen) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team