Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.
The vulnerability results from improper implementation of the two-factor authentication mechanism in the TFA module. The flaw allows an attacker to bypass or abuse the second authentication factor verification process. Due to the network vector (AV:N), lack of required privileges (PR:N), and lack of user interaction (UI:N), the attack can be conducted remotely without any preconditions.
An attacker can gain unauthorized access to user accounts protected by the TFA mechanism, effectively bypassing two-factor authentication security. Potential violations of confidentiality, integrity, and availability of data (all three indicators rated as HIGH).
The Two-Factor Authentication (TFA) module should be updated to version 1.5.0 or newer. Detailed information is available in the official Drupal security advisory at https://www.drupal.org/sa-contrib-2024-003.
Two-Factor Authentication (TFA) module for Drupal in versions from 0.0.0 to 1.5.0 (version 1.5.0 is not affected by the vulnerability).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTwo Factor Authentication Project Two Factor Authentication
APPTwo-Factor Authentication Project< 8.x-1.5
Related vulnerabilities
Session Fixation w module Drupal Two-Factor Authentication (TFA)
Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This ...
Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploitin...