Medium severityNVD Advisory· Published Jan 2, 2025· Updated Apr 15, 2026

CVE-2024-11717

Description

Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user's password and take over the account. Moreover, the tokens also include base64 encoded user email.

This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679 included in 3.7.5 release.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

seclists.org/fulldisclosure/2024/Dec/21nvd
blog.ctfd.io/ctfd-3-7-5/nvd
cert.pl/en/posts/2025/01/CVE-2024-11716nvd
ctfd.ionvd
github.com/CTFd/CTFd/pull/2679nvd
seclists.org/fulldisclosure/2024/Dec/21nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000