Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-January-29
Vulnerability:
Access bypass
Affected versions:
<2.0.6
CVE IDs:
CVE-2025-31681
Description:
This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones.
The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.
Solution:
Install the latest version:
- If you use the alogin module 1.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent, as the 1.0.x branch is now unsupported
- If you use the alogin module 2.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent
- If you use the alogin module 2.1.x, you do not need to do anything
Reported By:
Fixed By:
Coordinated By:
- Damien McKenna of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
