Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0.
The session fixation vulnerability (CWE-384) consists of the application not generating a new session identifier after successful user authentication. An attacker can pre-emptively provide the victim with a known session identifier, and then — after the victim logs in using two-factor authentication — take over this session and act within the context of their permissions. The vulnerability can be exploited remotely, without authentication and without user interaction beyond the act of logging in.
An attacker gains full access to the session of an authenticated user, which may lead to account takeover, disclosure of sensitive data, and violation of integrity and availability of Drupal site resources.
The Two-Factor Authentication (TFA) module should be updated to version 1.8.0 or later. Detailed information is available in the Drupal security advisory: https://www.drupal.org/sa-contrib-2024-043
Two-Factor Authentication (TFA) module for Drupal in versions from 0.0.0 to 1.8.0 (version 1.8.0 excluded).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTwo Factor Authentication Project Two Factor Authentication
APPTwo-Factor Authentication Project< 8.x-1.8
Related vulnerabilities
Słabe uwierzytelnianie w module Two-Factor Authentication dla Drupal
Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.This ...
Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploitin...