- All versions prior to 1.x-2.2.1
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
The module does not sufficiently migrate sessions before prompting for a second factor token.
This vulnerability is mitigated by the fact that an attacker must fixate a session on a victim system that is then authenticated with username and password without completing Two Factor authentication. An attacker must gather additional information regarding the entry form after authentication. An attacker must still present a valid token to complete authentication.
Upgrade your site to the most recent version of the TFA module. A download is available on the Two Factor Authentication module page. See the update instructions, if needed.
- Francesco Placella
- Juraj Nemec of the Drupal Security Team
- Conrad Lara
- Herb v/d Dool
- Jen Lampton of the Backdrop Security Team
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team