From 873b842349b898d52670fbe2d14613f72b46907a Mon Sep 17 00:00:00 2001 From: Lorenzo Milesi Date: Fri, 16 Sep 2022 17:19:38 +0200 Subject: [PATCH] Added a not about 2FA security issue in changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc5b5d5..9fdeb38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ compatibility, leaving behind obsolete versions. While yii2-usuario should still work without issues on 5.6, from now on testing and development will look forward and maintain only >=7.4 versions. +There's also a **security issue** for 2FA tokens: `settings/two-factor` route +wasn't checking for the currently logged in user, so any authenticated account +could access to all user's 2FA root code. If you cannot upgrade, check +[24d5d5744fe0](https://github.com/2amigos/yii2-usuario/commit/24d5d5744fe03f3173ea180f106865ffaf4f48a4). + There's a change in flash messages handling, please see #391 - Enh: update welcome and confirmation email ending line (maxxer)