[Security-news] Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
security-news at drupal.org
security-news at drupal.org
Wed Aug 13 17:33:24 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-096
Project: Authenticator Login [1]
Date: 2025-August-13
Security risk: *Highly critical* 21 ∕ 25
AC:Basic/A:None/CI:All/II:All/E:Proof/TD:All [2]
Vulnerability: Access bypass
Affected versions: <2.1.4
CVE IDs: CVE-2025-8995
Description:
This module enables users to setup two-factor authentication (2FA) using
authenticator apps for enhanced login security. The module alters the
standard Drupal login form to use AJAX callbacks for handling authentication
flow.
The module doesn't sufficiently validate authentication under specific
conditions, allowing an attacker to log in as any account where they know the
username.
This vulnerability is mitigated by the fact that an attacker must make a
series of requests to trigger the necessary conditions that allow
authentication byass. The series of requests could alert a site owner that
they are being attacked; however, the number of requests necessary to trigger
the conditions is usually quite small (the number depends on site
configuration, by default it is 5).
Solution:
Install the latest version:
* If you use the alogin module for Drupal 10^, upgrade to the latest version
or at least Alogin 2.1.5 [3]
/Note: the fix is in a tag in git for 2.1.4 however there is no release for
that tag. The fix is also in 2.1.5 relase./
Reported By:
* Pierre Rudloff (prudloff) [4]
Fixed By:
* Ahmed Raza (ahmed.raza) [5]
Coordinated By:
* Damien McKenna (damienmckenna) [6] of the Drupal Security Team
* Dan Smith (galooph) [7] of the Drupal Security Team
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Cathy Theys (yesct) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/alogin
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/alogin/releases/2.1.5
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/ahmedraza
[6] https://www.drupal.org/u/damienmckenna
[7] https://www.drupal.org/u/galooph
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/yesct
More information about the Security-news
mailing list