CTFd Password Reset and Activation Token Vulnerability Allowing Account Takeover

A vulnerability in CTFd versions through 3.7.4 allows for the interchangeability and reuse of tokens used for account activation and password resetting. These tokens, which include base64 encoded user email, are sent as GET parameters and can be exploited by an on-path attacker to hijack a user's account by resetting their password. This issue arises because the tokens are not single-use and remain valid for 30 minutes, during which they can be reused to gain unauthorized access to accounts.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, leading to account takeovers.

Reproduction

To reproduce this vulnerability, first, register an account on a CTFd instance running a vulnerable version. After registration, the activation token can be found in the email confirmation link, which includes the base64 encoded email address. Once the token is extracted, it can be reused within the 30-minute expiration window to reset the password and take over the account.

Remediation

Users are advised to update to CTFd version 3.7.5, where this vulnerability has been fixed.