Back to search
CVE-2024-11716
Published: Jan 2, 2025
Modified: Nov 3, 2025
PUBLISHED
Description
While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release.
| Vendor | Product | Versions |
|---|---|---|
CTFd | CTFd | affected 3.7.0 - <= 3.7.4 |
Weaknesses (CWE)
References
https://cert.pl/en/posts/2025/01/CVE-2024-11716
third-party-advisory
https://ctfd.io/
product
https://blog.ctfd.io/ctfd-3-7-5/
vendor-advisory
https://seclists.org/fulldisclosure/2024/Dec/21
mailing-list
exploit
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now