Skip to main content

Two Factor Authentication

8 CVEs product

Monthly

CVE-2025-7030 PHP MEDIUM PATCH This Month

CVE-2025-7030 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Two Factor Authentication Drupal
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-31694 PHP HIGH PATCH This Week

Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.0.0 before 1.10.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Two Factor Authentication Drupal
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2024-13279 PHP CRITICAL PATCH This Week

Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.0.0 before 1.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Two Factor Authentication Drupal
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-13239 PHP CRITICAL PATCH This Week

Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.0.0 before 1.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Two Factor Authentication Drupal
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-5658 PHP MEDIUM POC PATCH This Month

The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Two Factor Authentication
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-5657 PHP HIGH POC PATCH This Week

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Two Factor Authentication
NVD GitHub
CVSS 3.1
8.1
EPSS
0.8%
CVE-2018-20231 HIGH POC This Week

Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Two Factor Authentication
NVD
CVSS 3.0
8.8
EPSS
1.4%
CVE-2017-17780 MEDIUM POC PATCH This Month

The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress PHP Booking Calendar Sms Clockwork Sms Notfications +6
NVD
CVSS 3.1
6.1
EPSS
0.3%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

CVE-2025-7030 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Two Factor Authentication Drupal
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing.0.0 before 1.10.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Two Factor Authentication Drupal
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH This Week

Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.0.0 before 1.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Two Factor Authentication +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH This Week

Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.0.0 before 1.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Two Factor Authentication Drupal
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Two Factor Authentication
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Two Factor Authentication
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Two Factor Authentication
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS WordPress PHP +8
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy