SB2025051510 - Multiple vulnerabilities in One Time Password module for Drupal

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2025-48010)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not sufficiently prevent one time login links from bypassing TFA. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

2) Improper access control (CVE-ID: CVE-2025-48012)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not sufficiently prevent the same TFA token within a 30 second window. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

3) Improper access control (CVE-ID: CVE-2025-48011)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not sufficiently prevent TFA from being bypassed when using the REST login routes. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

• https://www.drupal.org/sa-contrib-2025-061
• https://www.drupal.org/sa-contrib-2025-063
• https://www.drupal.org/sa-contrib-2025-062