CVE-2024-13239

Critical

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0043 62.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.

Security Summary

CVE-2024-13239 is a weak authentication vulnerability in the Drupal Two-factor Authentication (TFA) module that allows authentication abuse. The issue affects TFA versions from 0.0.0 before 1.5.0 and is associated with CWE-1390 and NVD-CWE-Other.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability enables unauthenticated attackers accessible over the network to exploit it with low complexity and no user interaction. Successful exploitation can lead to high impacts on confidentiality, integrity, and availability, potentially allowing full compromise of affected systems through authentication abuse.

The Drupal security advisory SA-CONTRIB-2024-003 at https://www.drupal.org/sa-contrib-2024-003 provides details on mitigation, including the patch released in TFA version 1.5.0. Security practitioners should update to the fixed version promptly.

Details

CWE(s): CWE-1390NVD-CWE-Other

Affected Products

two-factor authentication project

two-factor authentication

≤ 8.x-1.5

References

https://www.drupal.org/sa-contrib-2024-003
Vendor Advisory · mlhess@drupal.org