CVE-2024-11716

EUVD-2024-34048
While assignment of a user to a team (bracket) in CTFd  should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing.
This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by  pull request 2636 https://github.com/CTFd/CTFd/pull/2636  included in 3.7.5 release.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
CERT-PLCNA
5.3 MEDIUM
NETWORK
LOW
LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
ctfdctfd
3.7.0 ≤
𝑥
≤ 3.7.4
CNA
Common Weakness Enumeration
References
https://blog.ctfd.io/ctfd-3-7-5/
https://cert.pl/en/posts/2025/01/CVE-2024-11716
https://ctfd.io/
https://github.com/CTFd/CTFd/pull/2636
https://seclists.org/fulldisclosure/2024/Dec/21
http://seclists.org/fulldisclosure/2024/Dec/21
https://seclists.org/fulldisclosure/2024/Dec/21