CVE-2024-32003 – Dusk plugin may allow unfettered user authentication in misconfigured installs

https://notcve.org/view.php?id=CVE-2024-32003

12 Apr 2024 — wn-dusk-plugin (Dusk plugin) is a plugin which integrates Laravel Dusk browser testing into Winter CMS. The Dusk plugin provides some special routes as part of its testing framework to allow a browser environment (such as headless Chrome) to act as a user in the Backend or User plugin without having to go through authentication. This route is `[[URL]]/_dusk/login/[[USER ID]]/[[MANAGER]]` - where `[[URL]]` is the base URL of the site, `[[USER ID]]` is the ID of the user account and `[[MANAGER]]` is the authe... • https://github.com/wintercms/wn-dusk-plugin/blob/main/README.md • CWE-269: Improper Privilege Management •