CRITICAL🇵🇱 Wersja polska

CVE-2024-13279

CVSS 9.8v3.1pub. 2025-01-09upd. 2025-09-02

Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0.

🤖 AI Analysis
How it works

The session fixation vulnerability (CWE-384) consists of the application not generating a new session identifier after successful user authentication. An attacker can pre-emptively provide the victim with a known session identifier, and then — after the victim logs in using two-factor authentication — take over this session and act within the context of their permissions. The vulnerability can be exploited remotely, without authentication and without user interaction beyond the act of logging in.

Impact

An attacker gains full access to the session of an authenticated user, which may lead to account takeover, disclosure of sensitive data, and violation of integrity and availability of Drupal site resources.

Mitigation & patch

The Two-Factor Authentication (TFA) module should be updated to version 1.8.0 or later. Detailed information is available in the Drupal security advisory: https://www.drupal.org/sa-contrib-2024-043

Who is affected

Two-Factor Authentication (TFA) module for Drupal in versions from 0.0.0 to 1.8.0 (version 1.8.0 excluded).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Two Factor Authentication Project Two Factor Authentication

    APP
    Two-Factor Authentication Project
    < 8.x-1.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-13239CRITICAL9.8PL ✓ten sam produkt

Słabe uwierzytelnianie w module Two-Factor Authentication dla Drupal

CVE-2025-31694HIGH8.1ten sam produkt

Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This ...

CVE-2025-7030MEDIUM6.5ten sam produkt

Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploitin...