Vulnerability in Ctfd
CVE-2024-11717
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expir…
EPSS: 0.004 (59.9th percentile) — read the EPSS interpretation.
Affected products
- Ctfd — versions 0
Weakness classification (CWE)
References
- cert.pl/en/posts/2025/01/CVE-2024-11716 (third-party-advisory)
- ctfd.io/ (product)
- github.com/CTFd/CTFd/pull/2679 (patch)
- blog.ctfd.io/ctfd-3-7-5/ (vendor-advisory)
- seclists.org/fulldisclosure/2024/Dec/21 (mailing-list, exploit)