DRUPAL-CONTRIB-2025-061

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/one_time_password/DRUPAL-CONTRIB-2025-061.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-061

Aliases

CVE-2025-48010

Published

2025-05-14T18:05:13Z

Modified

2025-12-10T23:41:26.370008Z

Summary

[none]

Details

This module enables you to allow users to include a second authentication method in addition to password authentication.

The module doesn't sufficiently prevent one time login links from bypassing TFA.

This vulnerability is mitigated by the fact that an attacker must have access to an email account attached to a user or a valid one time password link for a user.

References

https://www.drupal.org/sa-contrib-2025-061

Credits

- Conrad Lara (cmlara)
- - https://www.drupal.org/u/cmlara

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/one_time_password

Package

Name: drupal/one_time_password
Purl: pkg:composer/drupal/one_time_password

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.3.0

Database specific

{
    "constraint": "<1.3.0"
}

Database specific

affected_versions

"<1.3.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/one_time_password/DRUPAL-CONTRIB-2025-061.json"