Miggo Logo

CVE-2025-31681: Drupal Authenticator Login Missing Authorization vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.20655%
Published
4/1/2025
Updated
4/2/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/alogincomposer< 2.0.62.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks on user-specific 2FA configuration paths. In Drupal architecture:

  1. Controller methods handling these paths would appear in stack traces when accessing configuration endpoints
  2. Routing configuration would define the vulnerable endpoints
  3. The lack of access checks in routing (no _permission/_access) or missing user context validation in controllers creates the exposure While no patch diff is available, Drupal security patterns indicate:
  • Configuration endpoints would be handled by dedicated controller methods
  • Missing '%user' route parameter context or access: 'access configure alogin' requirements would be the primary vectors These functions represent the most likely execution points where unauthorized access would occur during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Missin* *ut*oriz*tion vuln*r**ility in *rup*l *ut**nti**tor Lo*in *llows *or***ul *rowsin*. T*is issu* *****ts *ut**nti**tor Lo*in: *rom *.*.* ***or* *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks on us*r-sp**i*i* *** *on*i*ur*tion p*t*s. In *rup*l *r**it**tur*: *. *ontroll*r m*t*o*s **n*lin* t**s* p*t*s woul* *pp**r in st**k tr***s w**n ****ssin* *on*i*ur*tion *n*points *. Routin* *on*