
<div dir="ltr"><br><div class="gmail_quote">View online: <a href="https://www.drupal.org/sa-contrib-2023-030" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2023-030</a><br>

<br>

Project: Two-factor Authentication (TFA) [1]<br>

Date: 2023-July-12<br>

Security risk: *Critical* 17∕25<br>

AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All [2]<br>

Vulnerability: Access bypass<br>

<br>

Affected versions: ^1 <= 1.0.0<br>

Description: <br>

This module enables you to allow and/or require users to use a second<br>

authentication method in addition to password authentication.<br>

<br>

The module doesn't sufficiently ensure all core login routes, including the<br>

password reset page, require a second factor credential.<br>

<br>

This vulnerability is mitigated by the fact that an attacker must obtain a<br>

first-factor login credential.<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

   * If you use the Two-factor Authentication (TFA) module for Drupal 8/9<br>

     please upgrade to TFA 8.x-1.1 [3]<br>

<br>

Ensure all additional external forms of authentication, such as REST, have<br>

been disabled.<br>

<br>

Reported By: <br>

   * Conrad Lara [4]<br>

   * Benji Fisher [5] of the Drupal Security Team<br>

<br>

Fixed By: <br>

   * Lee Rowlands [6] of the Drupal Security Team<br>

   * João Ventura [7]<br>

   * Conrad Lara [8]<br>

   * Benji Fisher [9] of the Drupal Security Team<br>

   * Mingsong  [10]<br>

   * Jonathan Daggerhart [11]<br>

   * Vitaliy Bogomazyuk [12]<br>

   * Giles Birch [13]<br>

   * N Cantrell [14]<br>

   * Reinder Venema [15]<br>

   * Rory Downes [16]<br>

<br>

Coordinated By: <br>

   * Damien McKenna [17] of the Drupal Security Team<br>

   * Greg Knaddison [18] of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/tfa" rel="noreferrer" target="_blank">https://www.drupal.org/project/tfa</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://www.drupal.org/project/tfa/releases/8.x-1.1" rel="noreferrer" target="_blank">https://www.drupal.org/project/tfa/releases/8.x-1.1</a><br>

[4] <a href="https://www.drupal.org/user/1790054" rel="noreferrer" target="_blank">https://www.drupal.org/user/1790054</a><br>

[5] <a href="https://www.drupal.org/user/683300" rel="noreferrer" target="_blank">https://www.drupal.org/user/683300</a><br>

[6] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><br>

[7] <a href="https://www.drupal.org/user/122464" rel="noreferrer" target="_blank">https://www.drupal.org/user/122464</a><br>

[8] <a href="https://www.drupal.org/user/1790054" rel="noreferrer" target="_blank">https://www.drupal.org/user/1790054</a><br>

[9] <a href="https://www.drupal.org/user/683300" rel="noreferrer" target="_blank">https://www.drupal.org/user/683300</a><br>

[10] <a href="https://www.drupal.org/user/2986445" rel="noreferrer" target="_blank">https://www.drupal.org/user/2986445</a><br>

[11] <a href="https://www.drupal.org/user/167806" rel="noreferrer" target="_blank">https://www.drupal.org/user/167806</a><br>

[12] <a href="https://www.drupal.org/user/3514011" rel="noreferrer" target="_blank">https://www.drupal.org/user/3514011</a><br>

[13] <a href="https://www.drupal.org/user/512726" rel="noreferrer" target="_blank">https://www.drupal.org/user/512726</a><br>

[14] <a href="https://www.drupal.org/user/3593195" rel="noreferrer" target="_blank">https://www.drupal.org/user/3593195</a><br>

[15] <a href="https://www.drupal.org/user/3669405" rel="noreferrer" target="_blank">https://www.drupal.org/user/3669405</a><br>

[16] <a href="https://www.drupal.org/user/2998173" rel="noreferrer" target="_blank">https://www.drupal.org/user/2998173</a><br>

[17] <a href="https://www.drupal.org/user/108450" rel="noreferrer" target="_blank">https://www.drupal.org/user/108450</a><br>

[18] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>

<br>

_______________________________________________<br>

Security-news mailing list<br>

<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>

Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div>

</div></div>