CVE-2025-31681
published 2025-03-31CVE-2025-31681: Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing.This issue affects Authenticator Login: from 0.0.0 before 2.0.6.
PriorityP348critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.37%
29.2th percentile
Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing.This issue affects Authenticator Login: from 0.0.0 before 2.0.6.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| authenticator_login_project | authenticator_login | < 2.0.6 | 2.0.6 |
| drupal | alogin | >= 0 < 2.0.6 | 2.0.6 |
| drupal | alogin | >= 0 < 2.0.6 | 2.0.6 |
| drupal | authenticator_login | — | — |
| drupal | authenticator_login | >= 0.0.0 < 2.0.6 | 2.0.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Drupal Authenticator Login Missing Authorization vulnerability
ghsa·2025-04-01
CVE-2025-31681 [HIGH] CWE-862 Drupal Authenticator Login Missing Authorization vulnerability
Drupal Authenticator Login Missing Authorization vulnerability
Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing. This issue affects Authenticator Login: from 0.0.0 before 2.0.6.
OSV
Drupal Authenticator Login Missing Authorization vulnerability
osv·2025-04-01
CVE-2025-31681 [HIGH] Drupal Authenticator Login Missing Authorization vulnerability
Drupal Authenticator Login Missing Authorization vulnerability
Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing. This issue affects Authenticator Login: from 0.0.0 before 2.0.6.
OSV
CVE-2025-31681: This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones
osv·2025-01-29
CVE-2025-31681 CVE-2025-31681: This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones
This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones.
The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.
Drupal
Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009
vendor_drupal·2025-01-29
CVE-2025-31681 [HIGH] Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009
Title: Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009
Vulnerability Type: Access bypass
Description: This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones. The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration.
Solution: Install the latest version: If you use the alogin module 1.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent, as the 1.0.x branch is now unsupported If you use the alogin module 2.0.x, upgrade to at least Authenticator Login 2.0.6 or more recent If you use the alogin module 2.1.x, you do not need to do anything
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-31
Published