Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-October-02
Vulnerability:
Access bypass
Affected versions:
<1.8.0
CVE IDs:
CVE-2024-13279
Description:
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
The module does not sufficiently migrate sessions before prompting for a second factor token.
This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication.
Solution:
Install the latest version:
- If you use the Two-factor Authentication (TFA) module for Drupal 8+ upgrade to Two-factor Authentication (TFA) 8.x-1.8
- If you use the Two-factor Authentication (TFA) module for Drupal 7 upgrade to Two-factor Authentication (TFA) 7.x-2.4
Reported By:
Fixed By:
- Francesco Placella
- Juraj Nemec of the Drupal Security Team
- Conrad Lara
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
