As an academic group, we wanted to improve the look and feel of our website on a tight budget. The team at Project Ricochet was consistently responsive to our concerns and willing to help us meet our goals. They were transparent with their costs, which allowed us to pick and choose which features and changes we deemed most important. Thanks to this transparency, our new website is a substantial improvement over the old that we were able to achieve in a cost-effective fashion.
—Justin Inman, UCSF

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115

Wed, 2025-11-05 10:08 — Anonymous (not verified)

Project: Email TFADate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.6CVE IDs: CVE-2025-12760Description: The Email TFA module provides additional email-based two-factor authentication for Drupal logins.
In certain scenarios, the module does not fully protect all login mechanisms as expected.
This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.Solution: Install the latest version:

If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

abdulaziz zaid

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff)

Path to article https://www.drupal.org/sa-contrib-2025-115

Search form

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115