cbcvebase.
CVE-2024-13239
published 2025-01-09

CVE-2024-13239: Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA)…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.3th percentile
Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.

Affected

4 ranges
VendorProductVersion rangeFixed in
drupaldrupal
drupaltfa>= 0 < 1.5.01.5.0
drupaltwo-factor_authentication>= 0.0.0 < 1.5.01.5.0
two-factor_authentication_projecttwo-factor_authentication< 8.x-1.58.x-1.5

Detection & IOCsextracted from sources · hover to see the quote

  • After patching to TFA 8.x-1.5, monitor for login attempts that succeed using a second-factor plugin that has been administratively disabled — this indicates exploitation of the bypass.
  • Audit TFA plugin configuration at admin/config/people/tfa to identify any plugins that were previously enabled and then disabled, as accounts configured with only disabled plugins are the attack surface.
  • ·Exploitation requires three conditions: valid first-factor (password) credentials, an admin having enabled then disabled a TFA plugin, and the attacker possessing a valid second-factor credential for that disabled plugin. All three must be true for the bypass to succeed.
  • ·After upgrading to TFA 8.x-1.5, accounts configured with ONLY disabled plugins will be fully locked out and will see the configured 'Help text' instead of a second-factor prompt. Site owners must re-enable a plugin or use existing account-recovery procedures to restore access.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.