Ricochet super-team Stephen Pope and Rick Destree were invaluable in upgrading the functionalities of the MarketTools corporate website, helping us implement new design elements and site structure, and launching a new website on very short notice when our business unit was acquired by Confirmit. Along the way, they taught me a lot about Drupal! Stephen’s help was critical in dealing with some difficult pre-existing server environment issues, and he went the extra mile many times to get us past the crunch points. I absolutely recommend Stephen and his team!
—Laura Newton

Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009

Wed, 2025-01-29 08:54 — Anonymous (not verified)

Project: Authenticator LoginDate: 2025-January-29Security risk: Critical 18 ∕ 25 AC:Basic/A:None/CI:Some/II:All/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.6Description: This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones.
The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.Solution: Install the latest version:

If you use the alogin module 1.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent, as the 1.0.x branch is now unsupported
If you use the alogin module 2.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent
If you use the alogin module 2.1.x, you do not need to do anything

Reported By:

Ahmed Raza

Fixed By:

Ahmed Raza

Coordinated By:

Damien McKenna of the Drupal Security Team
Ivo Van Geertruyen of the Drupal Security Team
Juraj Nemec of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-009

Search form

Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009