View online: https://www.drupal.org/sa-contrib-2025-009
Project: Authenticator Login [1] Date: 2025-January-29 Security risk: *Critical* 18 ∕ 25 AC:Basic/A:None/CI:Some/II:All/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: <2.0.6 Description: This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones.
The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.
Solution: Install the latest version:
* If you use the alogin module 1.0.x, upgrade to at least Authenticator Login 2.0.6 [3] or more recent, as the 1.0.x branch is now unsupported * If you use the alogin module 2.0.x, upgrade to at least Authenticator Login 2.0.6 [4] or more recent * If you use the alogin module 2.1.x, you do not need to do anything
Reported By: * Ahmed Raza [5]
Fixed By: * Ahmed Raza [6]
Coordinated By: * Damien McKenna [7] of the Drupal Security Team * Ivo Van Geertruyen [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team
[1] https://www.drupal.org/project/alogin [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/alogin/releases/2.0.6 [4] https://www.drupal.org/project/alogin/releases/2.0.6 [5] https://www.drupal.org/user/3007075 [6] https://www.drupal.org/user/3007075 [7] https://www.drupal.org/user/108450 [8] https://www.drupal.org/user/383424 [9] https://www.drupal.org/user/272316