Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001

Wed, 2025-01-08 09:22 — Anonymous (not verified)

Project: Email TFADate: 2025-January-08Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.3Description: This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site.
The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the second factor.
This vulnerability is mitigated by the fact the attacker must be able to present the username and first factor (i.e. password).Solution: Install the latest version:

If you use the Email TFA module, upgrade to Email TFA 2.0.3

Reported By:

Ursin Cola

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-001

Search form

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001