Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured…
drupal·CWE-267·Published 2025-07-08
Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0.
Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0.
This module enables you to allow and/or require a second authentication method in addition to password authentication. The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users. This vulnerability is mitigated by the fact that an attacker must have a role with the *Administer TFA for other users* permission.
La vulnerabilidad de privilegio definido con acciones inseguras en Drupal Two-factor Authentication (TFA) permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a la autenticación de dos factores (TFA): desde la versión 0.0.0 hasta la 1.11.0.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 6.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | Primary | cve.org | 6.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | Secondary | NVD | 6.5 | 1.2 | 5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H |