PT-2025-26964 · Drupal · Enterprise Mfa - Tfa For Drupal
Conrad Lara
+2
·
Published
2025-06-26
·
Updated
2025-06-26
·
CVE-2025-6675
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Enterprise MFA - TFA for Drupal versions 0.0.0 through 4.8.0
Enterprise MFA - TFA for Drupal versions 5.2.0 through 5.2.0
Enterprise MFA - TFA for Drupal versions 0.0.0 through 5.0.*
Enterprise MFA - TFA for Drupal versions 0.0.0 through 5.1.*
Description:
The issue affects the Enterprise MFA - TFA for Drupal module, allowing authentication bypass using an alternate path or channel. This is due to the module not sufficiently ensuring that known authorization routes are protected.
Recommendations:
For versions 0.0.0 through 4.8.0, update to version 4.8.0 or later.
For version 5.2.0, update to version 5.2.1 or later.
For versions 0.0.0 through 5.0., update to version 5.0. or later.
For versions 0.0.0 through 5.1., update to version 5.1. or later.
As a temporary workaround, consider restricting access to known authorization routes to minimize the risk of exploitation.
Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Enterprise Mfa - Tfa For Drupal