CVE-2024-13239
published 2025-01-09CVE-2024-13239: Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA)…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.3th percentile
Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | drupal | — | — |
| drupal | tfa | >= 0 < 1.5.0 | 1.5.0 |
| drupal | two-factor_authentication | >= 0.0.0 < 1.5.0 | 1.5.0 |
| two-factor_authentication_project | two-factor_authentication | < 8.x-1.5 | 8.x-1.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →After patching to TFA 8.x-1.5, monitor for login attempts that succeed using a second-factor plugin that has been administratively disabled — this indicates exploitation of the bypass. ↗
- →Audit TFA plugin configuration at admin/config/people/tfa to identify any plugins that were previously enabled and then disabled, as accounts configured with only disabled plugins are the attack surface. ↗
- ·Exploitation requires three conditions: valid first-factor (password) credentials, an admin having enabled then disabled a TFA plugin, and the attacker possessing a valid second-factor credential for that disabled plugin. All three must be true for the bypass to succeed. ↗
- ·After upgrading to TFA 8.x-1.5, accounts configured with ONLY disabled plugins will be fully locked out and will see the configured 'Help text' instead of a second-factor prompt. Site owners must re-enable a plugin or use existing account-recovery procedures to restore access. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gqf5-wjqv-v83c: Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse
ghsa_unreviewed·2025-01-09
CVE-2024-13239 [CRITICAL] CWE-1390 GHSA-gqf5-wjqv-v83c: Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse
Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.
OSV
CVE-2024-13239: This module enables you to allow and/or require users to use a second authentication method in addition to password authentication
osv·2024-01-24
CVE-2024-13239 CVE-2024-13239: This module enables you to allow and/or require users to use a second authentication method in addition to password authentication
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled.
This vulnerability is mitigated by the fact that an attacker must obtain a valid first-factor login credential, that an administrator must enable and then disable an authentication plugin, and that an attacker must obtain the valid second factor credential for the disabled plugin.
Drupal
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003
vendor_drupal·2024-01-24
CVE-2024-13239 [MEDIUM] Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003
Title: Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003
Vulnerability Type: Access bypass
Description: This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled. This vulnerability is mitigated by the fact that an attacker must obtain a valid first-factor login credential, that an administrator must enable and then disable an authentication plugin, and that an attacker must obtain the valid second factor credential for the disabled plugin.
Solution: Install the latest 8.x-1.2 version: If you use the Two-factor Authentication (TFA) for Drupal 8, 9, or 10 upgrad
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-09
Published