We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release.
Reserved 2024-11-25 | Published 2025-01-02 | Updated 2025-01-02 | Assigner CERT-PLCWE-837 Improper Enforcement of a Single, Unique Action
Błażej Adamczyk (efigo.pl)
github.com/CTFd/CTFd/pull/2636
cert.pl/en/posts/2025/01/CVE-2024-11716
ctfd.io/
blog.ctfd.io/ctfd-3-7-5/
seclists.org/fulldisclosure/2024/Dec/21
Support options