DRUPAL-CONTRIB-2025-096

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/alogin/DRUPAL-CONTRIB-2025-096.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-096

Aliases

CVE-2025-8995

Published

2025-08-13T17:33:24Z

Modified

2025-12-10T23:41:27.612803Z

Summary

[none]

Details

This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.

The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.

This vulnerability is mitigated by the fact that an attacker must make a series of requests to trigger the necessary conditions that allow authentication byass. The series of requests could alert a site owner that they are being attacked; however, the number of requests necessary to trigger the conditions is usually quite small (the number depends on site configuration, by default it is 5).

References

https://www.drupal.org/sa-contrib-2025-096

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/alogin

Package

Name: drupal/alogin
Purl: pkg:composer/drupal/alogin

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.1.5

Database specific

{
    "constraint": "<2.1.5"
}

Database specific

affected_versions

"<2.1.5"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/alogin/DRUPAL-CONTRIB-2025-096.json"

patched

true