Aryan4859

**Name of the Vulnerable Software and Affected Versions** Flag Forge versions 2.2.0 through 2.3.0 **Description** Flag Forge improperly manages session invalidation. After a user logs out, they can still access protected endpoints, such as `/api/profile`, and CSRF tokens remain valid. This allows continued access and potential unauthorized actions post-logout. **Recommendations** Update to version 2.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Flag Forge versions 2.1.0 through 2.2.9 **Description** Flag Forge is a Capture The Flag (CTF) platform. The API endpoint `GET /api/problems/:id` returns challenge hints in plaintext within the `question` object, regardless of whether the user has unlocked them. This allows users to view all hints for free, undermining the platform’s business logic and reducing the integrity of the challenge system. The vulnerable parameter is `id`. **Recommendations** Update to version 2.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** Flag Forge versions prior to 2.2.0 **Description** Flag Forge is a Capture The Flag (CTF) platform. Non-admin users are able to create arbitrary challenges, which could lead to the introduction of malicious, incorrect, or misleading content. **Recommendations** Update to version 2.2.0 or later.