Tfa Basic Plugins
Monthly
Access bypass in Drupal TFA Basic Plugins 7.x-1.0 through 7.x-1.2 allows authenticated site administrators holding the 'administer users' permission to view or generate two-factor authentication recovery codes belonging to other user accounts. This undermines the integrity of TFA enrollment by granting a permission scope - user administration - unintended access to sensitive authentication secrets. No public exploit code exists and no active exploitation has been confirmed; however, the risk is meaningful in multi-admin deployments where role separation is relied upon to enforce least-privilege access to authentication credentials.
Access bypass in Drupal TFA Basic Plugins 7.x-1.0 through 7.x-1.2 allows authenticated site administrators holding the 'administer users' permission to view or generate two-factor authentication recovery codes belonging to other user accounts. This undermines the integrity of TFA enrollment by granting a permission scope - user administration - unintended access to sensitive authentication secrets. No public exploit code exists and no active exploitation has been confirmed; however, the risk is meaningful in multi-admin deployments where role separation is relied upon to enforce least-privilege access to authentication credentials.