CVE-2020-5290

01.04.2020, 20:15

In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team&#39;s account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N
GitHub_M	CNA	6.5 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 40%

Vendor	Product	Version
ctfd	rctf	𝑥 < 2.3

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-384 - Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References

https://github.com/redpwn/rctf/issues/147

https://github.com/redpwn/rctf/security/advisories/GHSA-p5fh-2vhw-fvpq

https://github.com/redpwn/rctf/issues/147

https://github.com/redpwn/rctf/security/advisories/GHSA-p5fh-2vhw-fvpq