[IT-SecNots] [Security-news] Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-001

Project: Email TFA [1]
Date: 2025-January-08
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: <2.0.3
Description: 
This module enables you to do Two-Factor Authentication by email, using a
user registered email to send a verification code to the user's email every
time the user tries to log in to your site.

The module did not sufficiently protect against brute force attacks, allowing
an attacker to bypass the second factor.

This vulnerability is mitigated by the fact the attacker must be able to
present the username and first factor (i.e. password).

Solution: 
Install the latest version:

  * If you use the Email TFA module, upgrade to Email TFA 2.0.3 [3]

Reported By: 
  * Ursin Cola [4]

Fixed By: 
  * Ursin Cola [5]
  * abdulaziz zaid [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team
  * Juraj Nemec [8] of the Drupal Security Team


[1] https://www.drupal.org/project/email_tfa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/email_tfa/releases/2.0.3
[4] https://www.drupal.org/user/679260
[5] https://www.drupal.org/user/679260
[6] https://www.drupal.org/user/3585656
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/272316

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news