SB2025051205 - Multiple vulnerabilities in Enterprise MFA - TFA for Drupal module

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2025-47708)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

2) Improper access control (CVE-ID: CVE-2025-47710)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not sufficiently ensure that known login routes are protected. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

3) Improper access control (CVE-ID: CVE-2025-47709)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not sufficiently protect certain sensitive routes. A remote attacker can bypass implemented security restrictions and view or modify various TFA-related settings.

4) Improper access control (CVE-ID: CVE-2025-47707)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not invoke two factor authentication (2FA) for the password reset option. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.

5) Improper access control (CVE-ID: CVE-2025-47706)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

• https://www.drupal.org/sa-contrib-2025-054
• https://www.drupal.org/sa-contrib-2025-056
• https://www.drupal.org/sa-contrib-2025-055
• https://www.drupal.org/sa-contrib-2025-053
• https://www.drupal.org/sa-contrib-2025-052