{"id":"DRUPAL-CONTRIB-2025-115","details":"The Email TFA module provides additional email-based two-factor authentication for Drupal logins.\n\nIn certain scenarios, the module does not fully protect all login mechanisms as expected.\n\nThis issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.","aliases":["CVE-2025-12760","GHSA-9jrw-jrrj-p6fr"],"modified":"2025-12-10T23:40:56.859407Z","published":"2025-11-05T18:08:01Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2025-115"}],"affected":[{"package":{"name":"drupal/email_tfa","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/email_tfa"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.6"}],"database_specific":{"constraint":"\u003c2.0.6"}}],"database_specific":{"affected_versions":"\u003c2.0.6","source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/email_tfa/DRUPAL-CONTRIB-2025-115.json"}}],"schema_version":"1.7.3","credits":[{"name":"Pierre Rudloff (prudloff)","contact":["https://www.drupal.org/u/prudloff"]}]}