Vulnerability in Ctfd

CVE-2024-11716

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team whil…

EPSS: 0.051 (90.0th percentile) — read the EPSS interpretation.

Affected products

Ctfd — versions 3.7.0

Weakness classification (CWE)

CWE-837

References

github.com/CTFd/CTFd/pull/2636 (patch)
cert.pl/en/posts/2025/01/CVE-2024-11716 (third-party-advisory)
ctfd.io/ (product)
blog.ctfd.io/ctfd-3-7-5/ (vendor-advisory)
seclists.org/fulldisclosure/2024/Dec/21 (mailing-list, exploit)