DRUPAL-CONTRIB-2025-062

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/one_time_password/DRUPAL-CONTRIB-2025-062.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-062

Aliases

CVE-2025-48011

Published

2025-05-14T18:05:22Z

Modified

2025-12-10T23:41:27.808907Z

Summary

[none]

Details

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes.

A new requirements check has been added to the status report so other authentication providers can be assessed to check if they also allow for this bypass.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password.

References

https://www.drupal.org/sa-contrib-2025-062

Credits

- Conrad Lara (cmlara)
- - https://www.drupal.org/u/cmlara

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/one_time_password

Package

Name: drupal/one_time_password
Purl: pkg:composer/drupal/one_time_password

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.3.0

Database specific

{
    "constraint": "<1.3.0"
}

Database specific

affected_versions

"<1.3.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/one_time_password/DRUPAL-CONTRIB-2025-062.json"