Drupal Enterprise MFA Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in the Enterprise MFA - TFA for Drupal module, affecting versions prior to 4.7.0 and those from 5.0.0 through 5.2.0. This vulnerability allows remote services to exploit stolen credentials, bypassing authentication by failing to properly verify whether a TOTP token has already been used for authenticator-based second-factor methods. An attacker would need to possess a valid username, password, and a TOTP token generated within the last five minutes to exploit this issue.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized access to users or services.

Remediation

Users of the Enterprise MFA - TFA module version 5.x for Drupal 9.3 and above should upgrade to version 5.2.0. Those using version 4.x for Drupal 8, 9, or 10 should upgrade to version 8.x-4.7.