Home > Vulnerability Database > CVE-2024-11717

Mend.io Vulnerability Database

CVE-2024-11717

Date: January 2, 2025

Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email. This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679 included in 3.7.5 release.

Severity Score

5.3

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-11717

Url: https://cert.pl/en/posts/2025/01/CVE-2024-11716

Url: https://seclists.org/fulldisclosure/2024/Dec/21

Url: https://github.com/CTFd/CTFd/pull/2679

Url: https://ctfd.io/

Url: https://blog.ctfd.io/ctfd-3-7-5/

Url: https://www.mend.io/vulnerability-database/CVE-2024-11717

Severity Score

5.3

Weakness Type (CWE)

Improper Enforcement of a Single, Unique Action

CWE-837

Use of Weak Credentials

CWE-1391

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-11717

Date: January 2, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?