Improper access control in Two-factor Authentication (TFA) module for Drupal
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Two-factor Authentication (TFA) Web applications / Modules and components for CMS |
| Vendor | coltrane |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Improper access control
EUVDB-ID: #VU105370
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the affected module does not sufficiently ensure that known login routes are not overridden by third-party modules. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTwo-factor Authentication (TFA): before 1.10.0
CPE2.3 External linkshttps://www.drupal.org/sa-contrib-2025-023
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
