Commit 8609af2292652234a70e4457d63ff1e10a510631 fixes 2fa in new installations.
However there is no default for the newly introduced config('fortify.limiters.two-factor'). Therefore existing installations remain vulnerable (no 2fa rate-limiting will be applied) until the published config is updated to match the updated stub.
The severity might be medium to low, but this might still necessitate a security advisory, at least a mention in the release notes, and maybe a hint on laravel news?
Description:
Commit 8609af2292652234a70e4457d63ff1e10a510631 fixes 2fa in new installations.
However there is no default for the newly introduced
config('fortify.limiters.two-factor')
. Therefore existing installations remain vulnerable (no 2fa rate-limiting will be applied) until the published config is updated to match the updated stub.The severity might be medium to low, but this might still necessitate a security advisory, at least a mention in the release notes, and maybe a hint on laravel news?