TFA Basic plugins - Less critical - Access bypass - SA-CONTRIB-2025-085

Project

TFA Basic plugins

Date

August 20, 2025

Severity

Less Critical

Risk Score

9 ∕ 25 AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability

Access bypass

Affected versions

<7.x-1.3

Description

This module enables you to allow and/or require a second authentication method in addition to password authentication.

The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.

This vulnerability is mitigated by the fact that an attacker must have a role with the Administer TFA for other users permission.

This is a backport of https://www.drupal.org/sa-contrib-2025-085. The original issue is for tfa module, but in Drupal 7 the module is split and plugins are in tfa_basic.

Solution

Install the latest version.

If you use the TFA Basic module for Drupal 7, upgrade to tfa_basic 7.x-1.3:

Reported by

Conrad Lara (cmlara)

Fixed by

Conrad Lara (cmlara)
Tag1 Security Team

Coordinated by

cilefen (cilefen) of the Drupal Security Team
Dan Smith (galooph) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team
Tag1 Security Team