CVE-2024-11716

CVE-2024-11716 is a medium-severity vulnerability with a CVSS 4.0 base score of 5.3. Its EPSS exploit-prediction score of 12% places it in the 96th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-837.

Key facts

Description

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636  included in 3.7.5 release.

Frequently asked questions

What is CVE-2024-11716?
While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636  included in 3.7.5 release.
How severe is CVE-2024-11716?
CVE-2024-11716 has a CVSS 4.0 base score of 5.3, rated medium severity.
Is CVE-2024-11716 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 12% (96th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2024-11716?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-11716 have an EU (EUVD) identifier?
Yes. CVE-2024-11716 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-34048.
When was CVE-2024-11716 published?
CVE-2024-11716 was published on 2025-01-02 and last updated on 2026-06-17.

References

Other CWE-837 vulnerabilities

Browse all CWE-837 vulnerabilities →