PT-2025-2094 · Drupal · Drupal
Conrad Lara
+3
·
Published
2024-10-02
·
Updated
2025-01-10
·
CVE-2024-13279
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Drupal Two-factor Authentication (TFA) versions 0.0.0 through 1.8.0
Description
The issue is related to incorrect session management in the Two-factor Authentication (TFA) module of the Drupal CMS system. This can allow a remote attacker to hijack a user's session. The problem affects the Two-factor Authentication (TFA) module, allowing session fixation.
Recommendations
For versions 0.0.0 through 1.8.0, update to a version that contains a fix for this issue.
As a temporary workaround, consider restricting access to the TFA module to minimize the risk of exploitation.
Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Drupal