Incorrect Authorization Affecting winter/wn-dusk-plugin package, versions <2.1.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-WINTERWNDUSKPLUGIN-6613063
- published 14 Apr 2024
- disclosed 12 Apr 2024
- credit Unknown
Introduced: 12 Apr 2024
New CVE-2024-32003 Open this link in a new tabHow to fix?
Upgrade winter/wn-dusk-plugin to version 2.1.0 or higher.
Overview
Affected versions of this package are vulnerable to Incorrect Authorization due to the plugin being misconfigured in certain installations. Specifically, the plugin introduces special routes for testing purposes that, if exposed publicly, can be exploited to bypass user authentication mechanisms for accessing backend or user accounts without proper credentials. This vulnerability hinges on the plugin being publicly accessible and its test cases being executed with live data. This plugin must be utilized solely in development environments, as recommended, to mitigate potential exploitation.
Note
This will only affect users in which the Winter CMS installation meets ALL the following criteria:
The Dusk plugin is installed in the Winter CMS instance.
The application is in production mode (ie. the debug config value is set to
trueinconfig/app.php).The Dusk plugin's automatic configuration has been overridden, either by providing a custom
.env.duskfile or by providing custom configuration in theconfig/duskfolder, or by providing configuration environment variables externally.The environment has been configured to use production data in the database for testing, and not the temporary SQLite database that Dusk uses by default.
The application is connectable via the web.