View online: https://www.drupal.org/sa-contrib-2025-115
Project: Email TFA [1] Date: 2025-November-05 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Affected versions: <2.0.6 CVE IDs: CVE-2025-12760 Description: The Email TFA module provides additional email-based two-factor authentication for Drupal logins.
In certain scenarios, the module does not fully protect all login mechanisms as expected.
This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.
Solution: Install the latest version:
* If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6 [3]
Reported By: * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team
Fixed By: * abdulaziz zaid [5]
Coordinated By: * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team * Pierre Rudloff (prudloff) [8]
------------------------------------------------------------------------------ Contribution record [9]
[1] https://www.drupal.org/project/email_tfa [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/email_tfa/releases/2.0.6 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/abdulaziz-zaid [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10 [8] https://www.drupal.org/u/prudloff [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....