"Ricochet has proven to be a partner that we can depend on to create and maintain a successful drupal-based CMS system. Their deep experience in drupal has allowed them to identify existing plugins and to quickly implement custom logic when required to efficiently implement our international content management workflow and site. Ricochet has shown their commitment to our success again and again, working collaboratively across our team to make it happen, and putting in the extra effort when needed to meet our business goals."
—David Saffren, Blurb.com

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052

Wed, 2025-05-07 10:07 — Anonymous (not verified)

Project: Enterprise MFA - TFA for DrupalDate: 2025-May-07Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <4.7.0 || >=5.0.0 <5.2.0CVE IDs: CVE-2025-47706Description: The module enables you to add second-factor authentication in addition to the default Drupal login.
The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods.
This vulnerability is mitigated by the fact that an attacker must have a username, password and TOTP token generated within the last 5 minutes.Solution: Install the latest version:

If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.

Reported By:

Conrad Lara (cmlara)

Fixed By:

Sudhanshu Dhage (sudhanshu0542)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-052

Search form

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052