CVE-2024-11716

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release.

CVSS

No CVSS.

References

Link	Resource
https://blog.ctfd.io/ctfd-3-7-5/
https://cert.pl/en/posts/2025/01/CVE-2024-11716
https://ctfd.io/
https://github.com/CTFd/CTFd/pull/2636
https://seclists.org/fulldisclosure/2024/Dec/21
http://seclists.org/fulldisclosure/2024/Dec/21
https://seclists.org/fulldisclosure/2024/Dec/21

Configurations

No configuration.

History

03 Nov 2025, 22:16

Type	Values Removed	Values Added
Summary		(es) Si bien la asignación de un usuario a un equipo (grupo) en CTFd debería ser posible solo una vez, en el momento del registro, una falla en la implementación de la lógica permite que un usuario autenticado restablezca su grupo y luego elija uno nuevo, uniéndose a otro equipo mientras una competencia ya está en curso. Este problema afecta las versiones desde la 3.7.0 hasta la 3.7.4 y se solucionó mediante la solicitud de incorporación de cambios 2636 https://github.com/CTFd/CTFd/pull/2636 incluida en la versión 3.7.5.
References		() http://seclists.org/fulldisclosure/2024/Dec/21 -

02 Jan 2025, 18:15

Type	Values Removed	Values Added
References	~~() https://seclists.org/fulldisclosure/2024/Dec/21 -~~	() https://seclists.org/fulldisclosure/2024/Dec/21 -

02 Jan 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-02 17:15

Updated : 2025-11-03 22:16

NVD link : CVE-2024-11716

Mitre link : CVE-2024-11716

CVE.ORG link : CVE-2024-11716

JSON object : View

Products Affected

No product.

CWE

CWE-837

Improper Enforcement of a Single, Unique Action

{"id": "CVE-2024-11716", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-01-02T17:15:07.090", "references": [{"url": "https://blog.ctfd.io/ctfd-3-7-5/", "source": "cvd@cert.pl"}, {"url": "https://cert.pl/en/posts/2025/01/CVE-2024-11716", "source": "cvd@cert.pl"}, {"url": "https://ctfd.io/", "source": "cvd@cert.pl"}, {"url": "https://github.com/CTFd/CTFd/pull/2636", "source": "cvd@cert.pl"}, {"url": "https://seclists.org/fulldisclosure/2024/Dec/21", "source": "cvd@cert.pl"}, {"url": "http://seclists.org/fulldisclosure/2024/Dec/21", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://seclists.org/fulldisclosure/2024/Dec/21", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-837"}]}], "descriptions": [{"lang": "en", "value": "While assignment of a user to a team (bracket) in\u00a0CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing.\nThis issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 \u00a0included in 3.7.5 release."}, {"lang": "es", "value": "Si bien la asignaci\u00f3n de un usuario a un equipo (grupo) en CTFd deber\u00eda ser posible solo una vez, en el momento del registro, una falla en la implementaci\u00f3n de la l\u00f3gica permite que un usuario autenticado restablezca su grupo y luego elija uno nuevo, uni\u00e9ndose a otro equipo mientras una competencia ya est\u00e1 en curso. Este problema afecta las versiones desde la 3.7.0 hasta la 3.7.4 y se solucion\u00f3 mediante la solicitud de incorporaci\u00f3n de cambios 2636 https://github.com/CTFd/CTFd/pull/2636 incluida en la versi\u00f3n 3.7.5."}], "lastModified": "2025-11-03T22:16:38.667", "sourceIdentifier": "cvd@cert.pl"}