CVE-2024-11716

N/A

Published: 02 January 2025

Published

02 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score N/A

EPSS Score 0.0658 91.2th percentile

Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11716 is a uncategorised-severity Improper Enforcement of a Single, Unique Action (CWE-837) vulnerability in Ctfd (inferred from references). Its CVSS base score is N/A.

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for logical access, directly preventing the unauthorized reset and change of team assignment after registration due to the logic flaw.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of identified flaws, such as patching CTFd to version 3.7.5 or later to fix the team-switching vulnerability.

AC-2 Account Management partial match

prevent

AC-2 manages account attributes including conditions for group and role membership, addressing team assignment restrictions to limit changes post-registration.

NVD Description

While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another…

team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release.

Deeper analysisAI

CVE-2024-11716 is a logic implementation flaw in CTFd, an open-source platform for hosting Capture The Flag (CTF) competitions. The vulnerability affects releases from 3.7.0 up to and including 3.7.4. Normally, user assignment to a team (bracket) should occur only once during registration, but the defect allows an authenticated user to reset their bracket and join a different team even while a competition is ongoing.

An authenticated user, such as a registered competition participant, can exploit this issue to switch teams mid-competition. Successful exploitation enables the user to abandon their original team and join another, potentially disrupting competition integrity by allowing score transfers, collusion, or other manipulations tied to team standings.

The vulnerability was addressed in CTFd 3.7.5 via pull request 2636 on GitHub. Mitigation involves upgrading to version 3.7.5 or later. Further details on the fix and disclosure are provided in the CTFd blog at https://blog.ctfd.io/ctfd-3-7-5/, CERT.PL advisory at https://cert.pl/en/posts/2025/01/CVE-2024-11716, and Full Disclosure mailing list at https://seclists.org/fulldisclosure/2024/Dec/21.

Details

CWE(s): CWE-837

Affected Products

Ctfd

—

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-44601Shared CWE-837

References

https://blog.ctfd.io/ctfd-3-7-5/
cvd@cert.pl
https://cert.pl/en/posts/2025/01/CVE-2024-11716
cvd@cert.pl
https://ctfd.io/
cvd@cert.pl
https://github.com/CTFd/CTFd/pull/2636
cvd@cert.pl
https://seclists.org/fulldisclosure/2024/Dec/21
cvd@cert.pl
http://seclists.org/fulldisclosure/2024/Dec/21
af854a3a-2127-422b-91ae-364da2661108
https://seclists.org/fulldisclosure/2024/Dec/21
134c704f-9b21-4f2e-91b3-4a467353bcc0