DRUPAL-CONTRIB-2024-043

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tfa/DRUPAL-CONTRIB-2024-043.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-043

Aliases

CVE-2024-13279

Published

2024-10-02T16:20:48Z

Modified

2025-12-10T23:41:28.668396Z

Summary

[none]

Details

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

The module does not sufficiently migrate sessions before prompting for a second factor token.

This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication.

References

https://www.drupal.org/sa-contrib-2024-043

Credits

- Francesco Placella
- - https://www.drupal.org/user/183211

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/tfa

Package

Name: drupal/tfa
Purl: pkg:composer/drupal/tfa

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.8.0

Database specific

{
    "constraint": "<1.8.0"
}

Database specific

affected_versions

"<1.8.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tfa/DRUPAL-CONTRIB-2024-043.json"