| CVE ID | CVE-2024-11716 |
| Publication date | 02 January 2025 |
| Vendor | CTFd |
| Product | CTFd |
| Vulnerable versions | From 3.7.0 through 3.7.4 |
| Vulnerability type (CWE) | Improper Enforcement of a Single, Unique Action (CWE-837) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-11717 |
| Publication date | 02 January 2025 |
| Vendor | CTFd |
| Product | CTFd |
| Vulnerable versions | All through 3.7.4 |
| Vulnerability type (CWE) | Improper Enforcement of a Single, Unique Action (CWE-837) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in CTFd software and participated in coordination of their disclosure.
While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue was assigned CVE-2024-11716. It impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 included in 3.7.5 release.
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email. This issue was assigned CVE-2024-11717. It impacts all releases up to 3.7.4 and was addressed by pull request 2679 included in 3.7.5 release.
The researcher has published technical details under the following link.
Credits
We thank Błażej Adamczyk (efigo.pl) for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.