Account Takeover Vulnerability in CTFd by CTFd
CVE-2024-11717

6.3MEDIUM

Key Information:

Vendor
Ctfd
Status
Ctfd
Vendor
CVE Published:
2 January 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CTFd, a platform for capture-the-flag competitions, has a security issue involving token management for account activation and password resets. Tokens utilized for these operations can be applied interchangeably, creating a risk where an on-path attacker could hijack a user account by exploiting these tokens during their active period. The tokens, sent as GET parameters, are not constrained to single use, which further enables the possibility of token replay attacks. Additionally, these tokens contain base64 encoded user email information. The vulnerability impacts versions up to 3.7.4 and has been mitigated in version 3.7.5, following improvements made in response to this issue.

Affected Version(s)

CTFd 0 <= 3.7.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-11717 - Proof of Concept

References

https://cert.pl/en/posts/2025/01/CVE-2024-11716
third-party-advisory
https://ctfd.io/
product
https://github.com/CTFd/CTFd/pull/2679
patch

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Błażej Adamczyk (efigo.pl)
.