Today > 7 Critical | 27 High | 59 Medium vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-11716

Jan. 2, 2025, 6:15 p.m.

Tags

cvd@cert.pl
CWE-837
2025-01-02
CVE-2024-11716

Product(s) Impacted

CTFd

  • 3.7.0
  • 3.7.1
  • 3.7.2
  • 3.7.3
  • 3.7.4

Description

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636  included in 3.7.5 release.

Weaknesses

CWE-837
Improper Enforcement of a Single, Unique Action

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.

CWE ID: 837

Date

Published: Jan. 2, 2025, 5:15 p.m.

Last Modified: Jan. 2, 2025, 6:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cvd@cert.pl

References

https://blog.ctfd.io/ cvd@cert.pl
https://cert.pl/ cvd@cert.pl
https://ctfd.io/ cvd@cert.pl
https://github.com/ cvd@cert.pl
https://seclists.org/ cvd@cert.pl
https://seclists.org/ 134c704f-9b21-4f2e-91b3-4a467353bcc0