[Security-news] Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009
security-news at drupal.org
security-news at drupal.org
Wed Jan 29 17:48:07 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-009
Project: Authenticator Login [1]
Date: 2025-January-29
Security risk: *Critical* 18 ∕ 25
AC:Basic/A:None/CI:Some/II:All/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <2.0.6
Description:
This module allows a site to setup two factor authentication via QR code
using authenticator applications on mobile devices including phones.
The module does not properly protect its custom paths, allowing one user to
access a different user's two factor configuration.
Solution:
Install the latest version:
* If you use the alogin module 1.0.x, upgrade to at least Authenticator
Login 2.0.6 [3] or more recent, as the 1.0.x branch is now unsupported
* If you use the alogin module 2.0.x, upgrade to at least Authenticator
Login 2.0.6 [4] or more recent
* If you use the alogin module 2.1.x, you do not need to do anything
Reported By:
* Ahmed Raza [5]
Fixed By:
* Ahmed Raza [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
* Ivo Van Geertruyen [8] of the Drupal Security Team
* Juraj Nemec [9] of the Drupal Security Team
[1] https://www.drupal.org/project/alogin
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/alogin/releases/2.0.6
[4] https://www.drupal.org/project/alogin/releases/2.0.6
[5] https://www.drupal.org/user/3007075
[6] https://www.drupal.org/user/3007075
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/383424
[9] https://www.drupal.org/user/272316
More information about the Security-news
mailing list