—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Modules of Drupal 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: MEDIUM

Software Affected

Email TFA module for Drupal prior to versions 2.0.6

Simple multi step form module for Drupal prior to versions 2.0.0

Overview

Multiple vulnerabilities have been reported in various modules of Drupal which could allow an attacker to bypass security restrictions or conduct cross site scripting attacks on the target system.

Target Audience:

Individuals and end-user organizations using Drupal Modules.

Risk Assessment:

High risk of unauthorized access to sensitive data.

Impact Assessment:

Potential for data theft and system compromise.

Description

Drupal is an open-source, content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.

These vulnerabilities exist in the Email TFA and Simple multi step form modules of Drupal due to inconsistent enforcement of the two-factor authentication checks across all possible Drupal login mechanisms or due to improper validation of user inputs. An attacker could exploit the Email TFA exploit vulnerability to bypass two-factor authentication via an unprotected login path, while the Simple multi-step form exploit allows a high-privilege attacker to inject malicious scripts into the system configuration.

Successful exploitation of these vulnerabilities could allow the attacker to bypass security restrictions or conduct cross site scripting attacks on the target system.

Solution

Upgrade to the latest versions as mentioned in the advisory:

https://www.drupal.org/sa-contrib-2025-115

https://www.drupal.org/sa-contrib-2025-116

Vendor Information

Drupal

https://www.drupal.org/

References

 

https://www.drupal.org/sa-contrib-2025-115

https://www.drupal.org/sa-contrib-2025-116

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkV8MYACgkQ3jCgcSdc

ys8IoxAAkx0ScaLKNV+jJpEYVcwks1GZJK1e+fO0COBSxDsu5elDIGh7f/eP0vZi

kkuLVst4/PXEPh1xcAdmHJ4xIR5Yxt5xFCcvOflR6qxpCgIilsvZK6gWBsYznHx9

lgLG2lG+aMLU6I1R8NxRnlmg1TXMtF6TxHwgz4xqvP/XeY3vJoImpc5bl17rCEfn

9CPvSSHHYP/sq7DKZzu8OtHVvNkKBWJTDT/TMZWGdnHk25SOhIQz+BGlkwRFTWbl

enxhrTQVCkxVIpBiYLEQeR84Kdi6zBNgz68U177ROOk4Zc+NVI0bCLaN1QB1kbKR

yHF4GsFkRBAQsqb/fe9e/lSX3SCPwsGgu396crCJvc9vrYNeMgIppyl51j82sLvp

kJ26QdUBswFW2elxtUwFaNBPuexGAo9FvgZKYFtEO4LqzzrXiruzBMpd3iY5hD8O

gECwdoRATN7Cozqlm5VwA3KMZ5bu24x6ThNtQ2fKe4MJdG0NqLwJn5eYqSBVuIer

3iOe71vAr7fQDq8qOCfALfAHypdc9U1dyAQiZyH4RtZGZ0WLRpFpb9Tbqn+5sZyF

DY6Q1dEwh4IHuJLh9eeepcwEuDii2O4UjktTaBtNEl9v4/Eu/42UWvcv3XNvEPfP

CJD4rhSF0pIMAbcreCIXnVnX4fgwSTLvuVjXGS0Snslr0H+yh4o=

=XvtP

—–END PGP SIGNATURE—–