Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-May-14
Security risk:
Vulnerability:
Access bypass
Affected versions:
<1.3.0
CVE IDs:
CVE-2025-48012
Description:
This module enables you to allow users to include a second authentication method in addition to password authentication.
The module doesn't sufficiently prevent the same TFA token within a 30 second window.
This vulnerability is mitigated by the fact that an attacker must obtain a valid username/password and second factor.
Solution:
Install the latest version:
- If you use the One Time Password module for Drupal, upgrade to One Time Password 8.x-1.3
Reported By:
Fixed By:
- danielveza
- Lee Rowlands (larowlan) of the Drupal Security Team
- Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
