Home > Vulnerability Database > CVE-2024-11716

Mend.io Vulnerability Database

CVE-2024-11716

Date: January 2, 2025

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release.

Severity Score

3.5

Related Resources (7)

Url: https://cert.pl/en/posts/2025/01/CVE-2024-11716

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-11716

Url: https://seclists.org/fulldisclosure/2024/Dec/21

Url: https://github.com/CTFd/CTFd/pull/2636

Url: https://ctfd.io/

Url: https://blog.ctfd.io/ctfd-3-7-5/

Url: https://www.mend.io/vulnerability-database/CVE-2024-11716

Severity Score

3.5

Weakness Type (CWE)

Improper Enforcement of a Single, Unique Action

CWE-837

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-11716

Date: January 2, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?