SB2025051510 - Multiple vulnerabilities in One Time Password module for Drupal
Published: May 15, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-48010)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the affected module does not sufficiently prevent one time login links from bypassing TFA. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
2) Improper access control (CVE-ID: CVE-2025-48012)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the affected module does not sufficiently prevent the same TFA token within a 30 second window. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
3) Improper access control (CVE-ID: CVE-2025-48011)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the affected module does not sufficiently prevent TFA from being bypassed when using the REST login routes. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
Remediation
Install update from vendor's website.