OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Wed, 2025-02-26 10:35 — Anonymous (not verified)

Project: OAuth2 ServerDate: 2025-February-26Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.1.0Description: Provides OAuth2 server functionality based on the oauth2-server-php library.
The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate.Solution: Install the latest version:

If you use the OAuth2 server module for Drupal 2.x, upgrade to OAuth2 server 2.1.0

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

cafuego
Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-020

Search form

OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020