CVE-2024-32003
📋 TL;DR
The wn-dusk-plugin for Winter CMS contains an authentication bypass vulnerability that allows unauthenticated attackers to log in as any user in the Backend or User plugin via a special testing route. This affects production Winter CMS installations where the Dusk plugin is improperly enabled and configured to use live data. The vulnerability stems from a testing endpoint that should only be available in development environments.
💻 Affected Systems
- Winter CMS with wn-dusk-plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts in both Backend and User plugins, leading to full administrative control, data theft, and potential further system compromise.
Likely Case
Unauthorized access to user accounts, potentially including administrative accounts, leading to data exposure and privilege escalation.
If Mitigated
No impact if plugin is properly restricted to development environments or if the fix is applied.
🎯 Exploit Status
Exploitation requires knowledge of user IDs but is straightforward via the /_dusk/login/[USER_ID]/[MANAGER] endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.0
Vendor Advisory: https://github.com/wintercms/wn-dusk-plugin/security/advisories/GHSA-chcp-g9j5-3xxx
Restart Required: Yes
Instructions:
1. Update wn-dusk-plugin to version 2.1.0 via Composer: composer update winter/wn-dusk-plugin. 2. Restart your web server and PHP-FPM services. 3. Verify the fix by checking that the /_dusk/login endpoint is no longer accessible.
🔧 Temporary Workarounds
Remove Dusk plugin from production
allCompletely remove the Dusk plugin from production environments as it should only be used for development.
composer remove winter/wn-dusk-plugin
Restrict route access
allBlock access to the /_dusk/* routes via web server configuration or application middleware.
# In nginx: location ~ ^/_dusk { deny all; }
# In Apache: <Location "/_dusk"> Require all denied </Location>
🧯 If You Can't Patch
- Immediately disable or remove the Dusk plugin from production systems
- Implement network-level blocking of /_dusk/* endpoints using WAF or firewall rules
🔍 How to Verify
Check if Vulnerable:
Check if accessing https://yoursite.com/_dusk/login/1/backend returns a successful login response without authentication.Check Version:
composer show winter/wn-dusk-plugin | grep versionsVerify Fix Applied:
After updating to 2.1.0, verify the /_dusk/login endpoint returns 404 or access denied, and check that APP_ENV is not set to 'dusk' in production.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /_dusk/login/* endpoints
- Unusual authentication events from unexpected IPs
- Multiple failed login attempts followed by successful logins via /_dusk/login
Network Indicators:
- HTTP traffic to /_dusk/login/* paths
- Unusual spikes in authentication-related traffic
SIEM Query:
http.path:"/_dusk/login/*" AND http.status_code:200