CVE-2024-13279 – A session fixation vulnerability in Drupal's Tw... (How to Fix)

Q: What is the severity of CVE-2024-13279?

CVE-2024-13279 has a CVSS score of 9.8 (CRITICAL). A session fixation vulnerability in Drupal's Two-factor Authentication (TFA) module allows attackers to hijack user sessions by fixing session IDs before authentication. This affects all Drupal sites using the TFA module, potentially compromising any user accounts with TFA enabled. The vulnerability exists in all versions before 1.8.0.

📋 TL;DR

A session fixation vulnerability in Drupal's Two-factor Authentication (TFA) module allows attackers to hijack user sessions by fixing session IDs before authentication. This affects all Drupal sites using the TFA module, potentially compromising any user accounts with TFA enabled. The vulnerability exists in all versions before 1.8.0.

💻 Affected Systems

Products:

Drupal Two-factor Authentication (TFA) module

Versions: 0.0.0 through 1.7.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the TFA module installed and enabled.

📦 What is this software?

Two Factor Authentication by Two Factor Authentication Project

View all CVEs affecting Two Factor Authentication →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can bypass two-factor authentication entirely, gaining unauthorized access to administrative accounts and complete site compromise.

🟠

Likely Case

Attackers hijack user sessions to access sensitive data, modify content, or perform unauthorized actions within the application.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the affected Drupal instance only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to have some initial access to fix the session ID before the victim authenticates.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.0

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-043

Restart Required: No

Instructions:

1. Update the TFA module to version 1.8.0 via Drupal's update manager or Composer. 2. Clear Drupal caches. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable TFA Module

all

Temporarily disable the vulnerable TFA module until patching is possible

drush pm:disable tfa

🧯 If You Can't Patch

Implement network-level controls to restrict access to the Drupal admin interface
Enable enhanced session monitoring and alerting for suspicious authentication patterns

🔍 How to Verify

Check if Vulnerable:

Check TFA module version in Drupal's Extend page or via drush: drush pm:list | grep tfa

Check Version:

drush pm:list --fields=name,version | grep tfa

Verify Fix Applied:

Confirm TFA module version is 1.8.0 or higher

📡 Detection & Monitoring

Log Indicators:

Multiple session IDs for same user account
Authentication from unusual locations after TFA setup

Network Indicators:

Unusual authentication request patterns to /user/login and TFA endpoints

SIEM Query:

source="drupal" AND (event="session_start" OR event="user_login") | stats count by session_id, user

📊 Metadata

CVE ID: CVE-2024-13279

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-384

EPSS Score: 0.17% exploit probability (38.6th percentile)

Published: January 9, 2025

Last Updated: September 2, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-043 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13279, you might also want to check these: