fkie_cve-2024-11717
Vulnerability from fkie_nvd
Published
2025-01-02 17:15
Modified
2025-01-02 18:15
Severity ?
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email. This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679  included in 3.7.5 release.
References
cvd@cert.plhttps://blog.ctfd.io/ctfd-3-7-5/
cvd@cert.plhttps://cert.pl/en/posts/2025/01/CVE-2024-11716
cvd@cert.plhttps://ctfd.io/
cvd@cert.plhttps://github.com/CTFd/CTFd/pull/2679
cvd@cert.plhttps://seclists.org/fulldisclosure/2024/Dec/21
134c704f-9b21-4f2e-91b3-4a467353bcc0https://seclists.org/fulldisclosure/2024/Dec/21
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user\u0027s password and take over the account.\u00a0Moreover, the tokens also include base64 encoded user email.\n\nThis issue impacts releases up to 3.7.4 and was addressed by  pull request 2679 https://github.com/CTFd/CTFd/pull/2679 \u00a0included in 3.7.5 release."
    },
    {
      "lang": "es",
      "value": "Los tokens en CTFd que se usan para activar cuentas y restablecer contrase\u00f1as se pueden usar indistintamente para estas operaciones. Cuando se usan, se env\u00edan al servidor como un par\u00e1metro GET y no son de un solo uso, lo que significa que, durante el tiempo de expiraci\u00f3n del token, un atacante en la ruta podr\u00eda reutilizar dicho token para cambiar la contrase\u00f1a del usuario y tomar el control de la cuenta. Adem\u00e1s, los tokens tambi\u00e9n incluyen el correo electr\u00f3nico del usuario codificado en base64. Este problema afecta a las versiones hasta la 3.7.4 y se solucion\u00f3 mediante la solicitud de incorporaci\u00f3n de cambios 2679 https://github.com/CTFd/CTFd/pull/2679 incluida en la versi\u00f3n 3.7.5."
    }
  ],
  "id": "CVE-2024-11717",
  "lastModified": "2025-01-02T18:15:15.740",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cvd@cert.pl",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-02T17:15:07.600",
  "references": [
    {
      "source": "cvd@cert.pl",
      "url": "https://blog.ctfd.io/ctfd-3-7-5/"
    },
    {
      "source": "cvd@cert.pl",
      "url": "https://cert.pl/en/posts/2025/01/CVE-2024-11716"
    },
    {
      "source": "cvd@cert.pl",
      "url": "https://ctfd.io/"
    },
    {
      "source": "cvd@cert.pl",
      "url": "https://github.com/CTFd/CTFd/pull/2679"
    },
    {
      "source": "cvd@cert.pl",
      "url": "https://seclists.org/fulldisclosure/2024/Dec/21"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://seclists.org/fulldisclosure/2024/Dec/21"
    }
  ],
  "sourceIdentifier": "cvd@cert.pl",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-837"
        },
        {
          "lang": "en",
          "value": "CWE-1391"
        }
      ],
      "source": "cvd@cert.pl",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.