[Security-news] Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115
security-news at drupal.org
security-news at drupal.org
Wed Nov 5 18:08:02 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-115
Project: Email TFA [1]
Date: 2025-November-05
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <2.0.6
CVE IDs: CVE-2025-12760
Description:
The Email TFA module provides additional email-based two-factor
authentication for Drupal logins.
In certain scenarios, the module does not fully protect all login mechanisms
as expected.
This issue is mitigated by the fact that an attacker must already have valid
user credentials (username and password) to take advantage of the weakness.
Solution:
Install the latest version:
* If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6 [3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* abdulaziz zaid [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8]
------------------------------------------------------------------------------
Contribution record [9]
[1] https://www.drupal.org/project/email_tfa
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/email_tfa/releases/2.0.6
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/abdulaziz-zaid
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/prudloff
[9]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3556247
More information about the Security-news
mailing list