CVE-2024-11716

N/A Unknown
Published: January 02, 2025 Modified: November 03, 2025
View on NVD

Description

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636  included in 3.7.5 release.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://blog.ctfd.io/ctfd-3-7-5/
Source: cvd@cert.pl
https://cert.pl/en/posts/2025/01/CVE-2024-11716
Source: cvd@cert.pl
https://ctfd.io/
Source: cvd@cert.pl
https://github.com/CTFd/CTFd/pull/2636
Source: cvd@cert.pl
https://seclists.org/fulldisclosure/2024/Dec/21
Source: cvd@cert.pl
http://seclists.org/fulldisclosure/2024/Dec/21
Source: af854a3a-2127-422b-91ae-364da2661108
https://seclists.org/fulldisclosure/2024/Dec/21
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

7 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
2.3%
85th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-837

Related CVEs

CVE-2026-4363 3.7
CVE-2026-3126 N/A
CVE-2026-33268 6.5
CVE-2026-26830 9.8
CVE-2026-23514 8.8