DRUPAL-CONTRIB-2025-115

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/email_tfa/DRUPAL-CONTRIB-2025-115.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-115

Aliases

CVE-2025-12760
GHSA-9jrw-jrrj-p6fr

Published

2025-11-05T18:08:01Z

Modified

2025-12-10T23:40:56.859407Z

Summary

[none]

Details

The Email TFA module provides additional email-based two-factor authentication for Drupal logins.

In certain scenarios, the module does not fully protect all login mechanisms as expected.

This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.

References

https://www.drupal.org/sa-contrib-2025-115

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/email_tfa

Package

Name: drupal/email_tfa
Purl: pkg:composer/drupal/email_tfa

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.6

Database specific

{
    "constraint": "<2.0.6"
}

Database specific

affected_versions

"<2.0.6"