← back
CVE-2024-11717

CVE-2024-11717

CVSS 6.3 MEDIUMEPSS 0.6%CWE-1391CWE-837
In short

CTFd's account activation and password reset tokens can be reused and aren't properly validated, allowing attackers on the same network to intercept and misuse them to take over accounts. The tokens also expose user email addresses in plain sight.

Technical detail

The vulnerability exists in CTFd ≤3.7.4 where reset/activation tokens are transmitted as GET parameters, lack single-use enforcement, and can be reused within their validity window. An on-path attacker can intercept tokens, decode the embedded base64-encoded email, and leverage token interchangeability to execute unauthorized password resets or account takeovers. Mitigation requires token validation improvements and single-use enforcement (addressed in 3.7.5).

Summary generated and translated by AI from the official description.
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email. This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679  included in 3.7.5 release.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
CTFd · CTFd

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://blog.ctfd.io/ctfd-3-7-5/https://cert.pl/en/posts/2025/01/CVE-2024-11716https://ctfd.io/http://seclists.org/fulldisclosure/2024/Dec/21https://github.com/CTFd/CTFd/pull/2679https://seclists.org/fulldisclosure/2024/Dec/21