CVE-2024-32003

wn-dusk-plugin (Dusk plugin) is a plugin which integrates Laravel Dusk browser testing into Winter CMS. The Dusk plugin provides some special routes as part of its testing framework to allow a browser environment (such as headless Chrome) to act as a user in the Backend or User plugin without having to go through authentication. This route is [[URL]]/_dusk/login/[[USER ID]]/[[MANAGER]] - where [[URL]] is the base URL of the site, [[USER ID]] is the ID of the user account and [[MANAGER]] is the authentication manager (either backend for Backend, or user for the User plugin). If a configuration of a site using the Dusk plugin is set up in such a way that the Dusk plugin is available publicly and the test cases in Dusk are run with live data, this route may potentially be used to gain access to any user account in either the Backend or User plugin without authentication. As indicated in the README, this plugin should only be used in development and should NOT be used in a