CVE-2024-32003

Name of the Vulnerable Software and Affected Versions wn-dusk-plugin versions prior to 2.1.0

Description The Dusk plugin provides special routes as part of its testing framework, allowing a browser environment to act as a user in the Backend or User plugin without authentication. The route [[URL]]/ dusk/login/[[USER ID]]/[[MANAGER]] can potentially be used to gain access to any user account without authentication if the Dusk plugin is available publicly and test cases are run with live data. This issue affects Winter CMS installations that meet specific criteria, including having the Dusk plugin installed, being in production mode, and using production data for testing.

Recommendations To resolve the issue, upgrade to version 2.1.0 or later. As a temporary workaround, consider setting the APP ENV environment variable to dusk to prevent the special routes from being registered. Restrict access to the Dusk plugin and its configuration to minimize the risk of exploitation. Avoid using the Dusk plugin in production instances and install it as a development dependency only in Composer.