CVE-2025-31694
published 2025-03-31CVE-2025-31694: Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This issue affects Two-factor Authentication (TFA)…
PriorityP350high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.36%
27.5th percentile
Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | drupal | — | — |
| drupal | tfa | >= 0 < 1.10.0 | 1.10.0 |
| drupal | tfa | >= 0 < 1.10.0 | 1.10.0 |
| drupal | two-factor_authentication | >= 0.0.0 < 1.10.0 | 1.10.0 |
| two-factor_authentication_project | two-factor_authentication | < 8.x-1.10 | 8.x-1.10 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023
vendor_drupal·2025-03-05
CVE-2025-31694 [MEDIUM] Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023
Title: Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023
Vulnerability Type: Access bypass
Description: This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur. This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.
Solution: Install the latest version and run database updates: If you use the Two-factor Authentication (TFA) module for Drupal 8.x, upgrade to Two-factor Authentication (TFA) 8.x-1.10 Run the database updates. See help documentation on how to run database updates
GHSA
Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing
ghsa·2025-04-01
CVE-2025-31694 [HIGH] CWE-288 Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing
Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing
Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing. This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.
OSV
Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing
osv·2025-04-01
CVE-2025-31694 [HIGH] Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing
Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing
Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing. This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.
OSV
CVE-2025-31694: This module enables you to allow and/or require users to use a second authentication method in addition to password authentication
osv·2025-03-05
CVE-2025-31694 CVE-2025-31694: This module enables you to allow and/or require users to use a second authentication method in addition to password authentication
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur.
This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-31
Published