[IT-SecNots] [Security-news] Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-009

Project: Authenticator Login [1]
Date: 2025-January-29
Security risk: *Critical* 18 ∕ 25
AC:Basic/A:None/CI:Some/II:All/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: <2.0.6
Description: 
This module allows a site to setup two factor authentication via QR code
using authenticator applications on mobile devices including phones.

The module does not properly protect its custom paths, allowing one user to
access a different user's two factor configuration.

Solution: 
Install the latest version:

  * If you use the alogin module 1.0.x, upgrade to at least Authenticator
    Login 2.0.6 [3] or more recent, as the 1.0.x branch is now unsupported
  * If you use the alogin module 2.0.x, upgrade to at least Authenticator
    Login 2.0.6 [4] or more recent
  * If you use the alogin module 2.1.x, you do not need to do anything

Reported By: 
  * Ahmed Raza [5]

Fixed By: 
  * Ahmed Raza [6]

Coordinated By: 
  * Damien McKenna [7] of the Drupal Security Team
  * Ivo  Van Geertruyen [8] of the Drupal Security Team
  * Juraj Nemec [9] of the Drupal Security Team


[1] https://www.drupal.org/project/alogin
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/alogin/releases/2.0.6
[4] https://www.drupal.org/project/alogin/releases/2.0.6
[5] https://www.drupal.org/user/3007075
[6] https://www.drupal.org/user/3007075
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/383424
[9] https://www.drupal.org/user/272316

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news