Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities found for two-factor_authentication by two-factor_authentication_project
FKIE_CVE-2025-7030
Vulnerability from fkie_nvd - Published: 2025-07-08 21:15 - Updated: 2025-09-04 17:06
Severity ?
Summary
Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0.
References
| URL | Tags | ||
|---|---|---|---|
| mlhess@drupal.org | https://www.drupal.org/sa-contrib-2025-085 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| two-factor_authentication_project | two-factor_authentication | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:two-factor_authentication_project:two-factor_authentication:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "6B3F7699-98EF-4055-8B9E-63CB085B501B",
"versionEndExcluding": "8.x-1.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0."
},
{
"lang": "es",
"value": "La vulnerabilidad de privilegio definido con acciones inseguras en Drupal Two-factor Authentication (TFA) permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a la autenticaci\u00f3n de dos factores (TFA): desde la versi\u00f3n 0.0.0 hasta la 1.11.0."
}
],
"id": "CVE-2025-7030",
"lastModified": "2025-09-04T17:06:35.090",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-08T21:15:28.773",
"references": [
{
"source": "mlhess@drupal.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.drupal.org/sa-contrib-2025-085"
}
],
"sourceIdentifier": "mlhess@drupal.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-267"
}
],
"source": "mlhess@drupal.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-31694
Vulnerability from fkie_nvd - Published: 2025-03-31 22:15 - Updated: 2025-09-02 18:35
Severity ?
Summary
Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.
References
| URL | Tags | ||
|---|---|---|---|
| mlhess@drupal.org | https://www.drupal.org/sa-contrib-2025-023 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| two-factor_authentication_project | two-factor_authentication | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:two-factor_authentication_project:two-factor_authentication:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "B5EB75CE-45EB-48E1-9EBF-D911C6526077",
"versionEndExcluding": "8.x-1.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0."
},
{
"lang": "es",
"value": "La vulnerabilidad de autorizaci\u00f3n incorrecta en Drupal Two-factor Authentication (TFA) permite una navegaci\u00f3n forzada. Este problema afecta a la autenticaci\u00f3n de dos factores (TFA): desde la versi\u00f3n 0.0.0 hasta la 1.10.0."
}
],
"id": "CVE-2025-31694",
"lastModified": "2025-09-02T18:35:00.753",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-03-31T22:15:22.100",
"references": [
{
"source": "mlhess@drupal.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.drupal.org/sa-contrib-2025-023"
}
],
"sourceIdentifier": "mlhess@drupal.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-288"
}
],
"source": "mlhess@drupal.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-13279
Vulnerability from fkie_nvd - Published: 2025-01-09 20:15 - Updated: 2025-09-02 18:28
Severity ?
Summary
Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0.
References
| URL | Tags | ||
|---|---|---|---|
| mlhess@drupal.org | https://www.drupal.org/sa-contrib-2024-043 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| two-factor_authentication_project | two-factor_authentication | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:two-factor_authentication_project:two-factor_authentication:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "1E9C5D5D-A670-4A12-96C2-C156A1E40F86",
"versionEndExcluding": "8.x-1.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0."
},
{
"lang": "es",
"value": "La vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en Drupal Two-factor Authentication (TFA) permite la fijaci\u00f3n de sesi\u00f3n. Este problema afecta a Two-factor Authentication (TFA): desde la versi\u00f3n 0.0.0 hasta la 1.8.0."
}
],
"id": "CVE-2024-13279",
"lastModified": "2025-09-02T18:28:28.747",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-09T20:15:36.803",
"references": [
{
"source": "mlhess@drupal.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.drupal.org/sa-contrib-2024-043"
}
],
"sourceIdentifier": "mlhess@drupal.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "mlhess@drupal.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-13239
Vulnerability from fkie_nvd - Published: 2025-01-09 19:15 - Updated: 2025-06-04 16:38
Severity ?
Summary
Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.
References
| URL | Tags | ||
|---|---|---|---|
| mlhess@drupal.org | https://www.drupal.org/sa-contrib-2024-003 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| two-factor_authentication_project | two-factor_authentication | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:two-factor_authentication_project:two-factor_authentication:*:*:*:*:*:drupal:*:*",
"matchCriteriaId": "1B5226B1-893E-4148-9B06-25152D168912",
"versionEndExcluding": "8.x-1.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0."
},
{
"lang": "es",
"value": "La vulnerabilidad de autenticaci\u00f3n d\u00e9bil en Drupal Two-factor Authentication (TFA) permite el abuso de la autenticaci\u00f3n. Este problema afecta a Two-factor Authentication (TFA): desde la versi\u00f3n 0.0.0 hasta la 1.5.0."
}
],
"id": "CVE-2024-13239",
"lastModified": "2025-06-04T16:38:42.120",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-09T19:15:17.663",
"references": [
{
"source": "mlhess@drupal.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.drupal.org/sa-contrib-2024-003"
}
],
"sourceIdentifier": "mlhess@drupal.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1390"
}
],
"source": "mlhess@drupal.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-7030 (GCVE-0-2025-7030)
Vulnerability from cvelistv5 – Published: 2025-07-08 20:54 – Updated: 2025-07-09 14:23
VLAI?
Title
Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085
Summary
Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0.
Severity ?
6.5 (Medium)
CWE
- CWE-267 - Privilege Defined With Unsafe Actions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Two-factor Authentication (TFA) |
Affected:
0.0.0 , < 1.11.0
(semver)
|
Date Public ?
2025-07-02 17:37
Credits
Conrad Lara (cmlara)
Conrad Lara (cmlara)
cilefen (cilefen)
Dan Smith (galooph)
Greg Knaddison (greggles)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-7030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T14:23:06.946669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T14:23:22.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa",
"defaultStatus": "unaffected",
"product": "Two-factor Authentication (TFA)",
"repo": "https://git.drupalcode.org/project/tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dan Smith (galooph)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-07-02T17:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0.\u003c/p\u003e"
}
],
"value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T20:54:13.917Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-085"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-7030",
"datePublished": "2025-07-08T20:54:13.917Z",
"dateReserved": "2025-07-02T16:07:06.376Z",
"dateUpdated": "2025-07-09T14:23:22.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31694 (GCVE-0-2025-31694)
Vulnerability from cvelistv5 – Published: 2025-03-31 21:51 – Updated: 2025-04-29 15:19
VLAI?
Title
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023
Summary
Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.
Severity ?
8.1 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Two-factor Authentication (TFA) |
Affected:
0.0.0 , < 1.10.0
(semver)
|
Date Public ?
2025-03-05 18:17
Credits
Conrad Lara (cmlara)
Elaman Imashov (elaman)
Conrad Lara (cmlara)
Greg Knaddison (greggles)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31694",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:19:26.297673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:19:38.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa",
"defaultStatus": "unaffected",
"product": "Two-factor Authentication (TFA)",
"repo": "https://git.drupalcode.org/project/tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.10.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "finder",
"value": "Elaman Imashov (elaman)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-03-05T18:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.\u003cp\u003eThis issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T01:36:35.038Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31694",
"datePublished": "2025-03-31T21:51:40.451Z",
"dateReserved": "2025-03-31T21:30:25.064Z",
"dateUpdated": "2025-04-29T15:19:38.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13279 (GCVE-0-2024-13279)
Vulnerability from cvelistv5 – Published: 2025-01-09 19:31 – Updated: 2025-01-10 16:29
VLAI?
Title
Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043
Summary
Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0.
Severity ?
9.8 (Critical)
CWE
- CWE-384 - Session Fixation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Two-factor Authentication (TFA) |
Affected:
0.0.0 , < 1.8.0
(semver)
|
Date Public ?
2024-10-02 16:20
Credits
Francesco Placella
Francesco Placella
Juraj Nemec
Conrad Lara
Greg Knaddison
Juraj Nemec
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T16:29:28.755887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T16:29:51.281Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa",
"defaultStatus": "unaffected",
"product": "Two-factor Authentication (TFA)",
"repo": "https://git.drupalcode.org/project/tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Placella"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Francesco Placella"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Conrad Lara"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
}
],
"datePublic": "2024-10-02T16:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.\u003cp\u003eThis issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0.\u003c/p\u003e"
}
],
"value": "Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0."
}
],
"impacts": [
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:31:45.632Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-043"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13279",
"datePublished": "2025-01-09T19:31:45.632Z",
"dateReserved": "2025-01-09T18:28:14.858Z",
"dateUpdated": "2025-01-10T16:29:51.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13239 (GCVE-0-2024-13239)
Vulnerability from cvelistv5 – Published: 2025-01-09 18:35 – Updated: 2025-01-10 17:18
VLAI?
Title
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003
Summary
Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.
Severity ?
9.8 (Critical)
CWE
- CWE-1390 - Weak Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Two-factor Authentication (TFA) |
Affected:
0.0.0 , < 1.5.0
(semver)
|
Date Public ?
2024-01-24 15:42
Credits
Ide Braakman
Conrad Lara
Juraj Nemec
João Ventura
Damien McKenna
Greg Knaddison
Benji Fisher
Heine
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T17:17:44.904895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T17:18:02.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa",
"defaultStatus": "unaffected",
"product": "Two-factor Authentication (TFA)",
"repo": "https://git.drupalcode.org/project/tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ide Braakman"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Conrad Lara"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jo\u00e3o Ventura"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "Heine"
}
],
"datePublic": "2024-01-24T15:42:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.\u003cp\u003eThis issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.\u003c/p\u003e"
}
],
"value": "Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1390",
"description": "CWE-1390 Weak Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T18:35:46.333Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13239",
"datePublished": "2025-01-09T18:35:46.333Z",
"dateReserved": "2025-01-09T18:26:59.643Z",
"dateUpdated": "2025-01-10T17:18:02.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7030 (GCVE-0-2025-7030)
Vulnerability from nvd – Published: 2025-07-08 20:54 – Updated: 2025-07-09 14:23
VLAI?
Title
Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085
Summary
Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0.
Severity ?
6.5 (Medium)
CWE
- CWE-267 - Privilege Defined With Unsafe Actions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Two-factor Authentication (TFA) |
Affected:
0.0.0 , < 1.11.0
(semver)
|
Date Public ?
2025-07-02 17:37
Credits
Conrad Lara (cmlara)
Conrad Lara (cmlara)
cilefen (cilefen)
Dan Smith (galooph)
Greg Knaddison (greggles)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-7030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T14:23:06.946669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T14:23:22.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa",
"defaultStatus": "unaffected",
"product": "Two-factor Authentication (TFA)",
"repo": "https://git.drupalcode.org/project/tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dan Smith (galooph)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-07-02T17:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0.\u003c/p\u003e"
}
],
"value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T20:54:13.917Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-085"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-7030",
"datePublished": "2025-07-08T20:54:13.917Z",
"dateReserved": "2025-07-02T16:07:06.376Z",
"dateUpdated": "2025-07-09T14:23:22.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31694 (GCVE-0-2025-31694)
Vulnerability from nvd – Published: 2025-03-31 21:51 – Updated: 2025-04-29 15:19
VLAI?
Title
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023
Summary
Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.
Severity ?
8.1 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Two-factor Authentication (TFA) |
Affected:
0.0.0 , < 1.10.0
(semver)
|
Date Public ?
2025-03-05 18:17
Credits
Conrad Lara (cmlara)
Elaman Imashov (elaman)
Conrad Lara (cmlara)
Greg Knaddison (greggles)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31694",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:19:26.297673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:19:38.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa",
"defaultStatus": "unaffected",
"product": "Two-factor Authentication (TFA)",
"repo": "https://git.drupalcode.org/project/tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.10.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "finder",
"value": "Elaman Imashov (elaman)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-03-05T18:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.\u003cp\u003eThis issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T01:36:35.038Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31694",
"datePublished": "2025-03-31T21:51:40.451Z",
"dateReserved": "2025-03-31T21:30:25.064Z",
"dateUpdated": "2025-04-29T15:19:38.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13279 (GCVE-0-2024-13279)
Vulnerability from nvd – Published: 2025-01-09 19:31 – Updated: 2025-01-10 16:29
VLAI?
Title
Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043
Summary
Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0.
Severity ?
9.8 (Critical)
CWE
- CWE-384 - Session Fixation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Two-factor Authentication (TFA) |
Affected:
0.0.0 , < 1.8.0
(semver)
|
Date Public ?
2024-10-02 16:20
Credits
Francesco Placella
Francesco Placella
Juraj Nemec
Conrad Lara
Greg Knaddison
Juraj Nemec
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T16:29:28.755887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T16:29:51.281Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa",
"defaultStatus": "unaffected",
"product": "Two-factor Authentication (TFA)",
"repo": "https://git.drupalcode.org/project/tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Placella"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Francesco Placella"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Conrad Lara"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
}
],
"datePublic": "2024-10-02T16:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.\u003cp\u003eThis issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0.\u003c/p\u003e"
}
],
"value": "Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0."
}
],
"impacts": [
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:31:45.632Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-043"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13279",
"datePublished": "2025-01-09T19:31:45.632Z",
"dateReserved": "2025-01-09T18:28:14.858Z",
"dateUpdated": "2025-01-10T16:29:51.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13239 (GCVE-0-2024-13239)
Vulnerability from nvd – Published: 2025-01-09 18:35 – Updated: 2025-01-10 17:18
VLAI?
Title
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003
Summary
Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.
Severity ?
9.8 (Critical)
CWE
- CWE-1390 - Weak Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Two-factor Authentication (TFA) |
Affected:
0.0.0 , < 1.5.0
(semver)
|
Date Public ?
2024-01-24 15:42
Credits
Ide Braakman
Conrad Lara
Juraj Nemec
João Ventura
Damien McKenna
Greg Knaddison
Benji Fisher
Heine
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T17:17:44.904895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T17:18:02.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa",
"defaultStatus": "unaffected",
"product": "Two-factor Authentication (TFA)",
"repo": "https://git.drupalcode.org/project/tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ide Braakman"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Conrad Lara"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jo\u00e3o Ventura"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "Heine"
}
],
"datePublic": "2024-01-24T15:42:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.\u003cp\u003eThis issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.\u003c/p\u003e"
}
],
"value": "Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1390",
"description": "CWE-1390 Weak Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T18:35:46.333Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13239",
"datePublished": "2025-01-09T18:35:46.333Z",
"dateReserved": "2025-01-09T18:26:59.643Z",
"dateUpdated": "2025-01-10T17:18:02.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}