DRUPAL-CONTRIB-2025-001

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/email_tfa/DRUPAL-CONTRIB-2025-001.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-001

Aliases

CVE-2025-31676

Published

2025-01-08T17:22:11Z

Modified

2025-12-10T23:41:24.981063Z

Summary

[none]

Details

This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site.

The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the second factor.

This vulnerability is mitigated by the fact the attacker must be able to present the username and first factor (i.e. password).

References

https://www.drupal.org/sa-contrib-2025-001

Credits

- Ursin Cola
- - https://www.drupal.org/user/679260

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/email_tfa

Package

Name: drupal/email_tfa
Purl: pkg:composer/drupal/email_tfa

Affected ranges

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.3

Database specific

{
    "constraint": ">=2.0.0 <2.0.3"
}

Database specific

affected_versions

">=2.0.0 <2.0.3"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/email_tfa/DRUPAL-CONTRIB-2025-001.json"

patched

true