CVE-2024-11717

Name of the Vulnerable Software and Affected Versions CTFd versions prior to 3.7.5

Description The issue concerns tokens used for account activation and password resetting in CTFd, which can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and are not single use. This means that during the token expiration time, an on-path attacker might reuse such a token to change a user's password and take over the account. Moreover, the tokens also include the user's email encoded in base64.

Recommendations For versions prior to 3.7.5, update to version 3.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the account activation and password resetting features until the update is applied. Additionally, users should be cautious when using these features and monitor their account activity for any suspicious behavior.