Date:
2025-May-07
Security risk:
Vulnerability:
Access bypass
Affected versions:
<4.7.0 || >=5.0.0 <5.2.0
CVE IDs:
CVE-2025-47706
Description:
The module enables you to add second-factor authentication in addition to the default Drupal login.
The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods.
This vulnerability is mitigated by the fact that an attacker must have a username, password and TOTP token generated within the last 5 minutes.
Solution:
Install the latest version:
- If you use the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above, upgrade to miniorange_2fa 5.2.0.
- If you use the Enterprise MFA - TFA module version 4.x for Drupal 8, 9 or 10, upgrade to miniorange_2fa 8.x-4.7.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
