SB2025072919 - Privilege Defined With Unsafe Actions in Two-factor Authentication (TFA) module for Drupal
Published: July 29, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Privilege Defined With Unsafe Actions (CVE-ID: CVE-2025-7030)
CWE-ID: CWE-267 - Privilege Defined With Unsafe Actions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to the affected application does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users. A remote administrator can exploit incorrectly configured access control security levels.
Remediation
Install update from vendor's website.