CVE-2024-13239

Critical

Published: 09 January 2025

Published

09 January 2025

Modified

04 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0043 62.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13239 is a critical-severity Weak Authentication (CWE-1390) vulnerability in Two-Factor Authentication Project Two-Factor Authentication. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 37.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the weak authentication flaw in the Drupal TFA module by patching to version 1.5.0, directly preventing exploitation and authentication abuse.

IA-5 Authenticator Management good match

prevent

Mandates secure management, distribution, and verification of two-factor authenticators, comprehensively addressing weaknesses in the TFA module's authentication mechanisms.

SI-5 Security Alerts, Advisories, and Directives partial match

preventdetect

Ensures monitoring of security advisories like Drupal SA-CONTRIB-2024-003 to detect and act on the TFA vulnerability before exploitation.

NVD Description

Weak Authentication vulnerability in Drupal Two-factor Authentication (TFA) allows Authentication Abuse.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.5.0.

Deeper analysisAI

CVE-2024-13239 is a weak authentication vulnerability in the Drupal Two-factor Authentication (TFA) module that allows authentication abuse. The issue affects TFA versions from 0.0.0 before 1.5.0 and is associated with CWE-1390 and NVD-CWE-Other.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability enables unauthenticated attackers accessible over the network to exploit it with low complexity and no user interaction. Successful exploitation can lead to high impacts on confidentiality, integrity, and availability, potentially allowing full compromise of affected systems through authentication abuse.

The Drupal security advisory SA-CONTRIB-2024-003 at https://www.drupal.org/sa-contrib-2024-003 provides details on mitigation, including the patch released in TFA version 1.5.0. Security practitioners should update to the fixed version promptly.

Details

CWE(s): CWE-1390 NVD-CWE-Other

Affected Products

two-factor authentication project

two-factor authentication

≤ 8.x-1.5

CVEs Like This One

CVE-2025-31694Same product: Two-Factor Authentication Project Two-Factor Authentication

CVE-2024-13279Same product: Two-Factor Authentication Project Two-Factor Authentication

CVE-2026-4924Shared CWE-1390

CVE-2024-52541Shared CWE-1390

CVE-2025-12870Shared CWE-1390

CVE-2025-1293Shared CWE-1390

CVE-2025-15595Shared CWE-1390

CVE-2025-26343Shared CWE-1390

CVE-2025-12871Shared CWE-1390

CVE-2023-53894Shared CWE-1390

References

https://www.drupal.org/sa-contrib-2024-003
Vendor Advisory · mlhess@drupal.org