Added a not about 2FA security issue in changelog

2022-09-16 17:19:38 +02:00
parent 24d5d5744f
commit 873b842349
1 changed files with 5 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,11 @@ compatibility, leaving behind obsolete versions. While yii2-usuario should
 still work without issues on 5.6, from now on testing and development will
 look forward and maintain only >=7.4 versions.

+There's also a **security issue** for 2FA tokens: `settings/two-factor` route
+wasn't checking for the currently logged in user, so any authenticated account
+could access to all user's 2FA root code. If you cannot upgrade, check
+[24d5d5744fe0](https://github.com/2amigos/yii2-usuario/commit/24d5d5744fe03f3173ea180f106865ffaf4f48a4).
+
 There's a change in flash messages handling, please see #391

 - Enh: update welcome and confirmation email ending line (maxxer)