[IT-SecNots] [Security-news] Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-115

Project: Email TFA [1]
Date: 2025-November-05
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <2.0.6
CVE IDs: CVE-2025-12760
Description: 
The Email TFA module provides additional email-based two-factor
authentication for Drupal logins.

In certain scenarios, the module does not fully protect all login mechanisms
as expected.

This issue is mitigated by the fact that an attacker must already have valid
user credentials (username and password) to take advantage of the weakness.

Solution: 
Install the latest version:

 * If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6 [3]

Reported By: 
 * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
   Team

Fixed By: 
 * abdulaziz zaid [5]

Coordinated By: 
 * Greg Knaddison (greggles) [6] of the Drupal Security Team
 * Juraj Nemec (poker10) [7] of the Drupal Security Team
 * Pierre Rudloff (prudloff) [8]

------------------------------------------------------------------------------
Contribution record [9]

[1] https://www.drupal.org/project/email_tfa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/email_tfa/releases/2.0.6
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/abdulaziz-zaid
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/prudloff
[9]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3556247

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news