Flag Forge Capture The Flag Platform Privilege Escalation Vulnerability

A vulnerability in Flag Forge CTF platform version 2.1.0 allows any authenticated user to assign high-privilege badges, such as Staff, to themselves via the /api/admin/assign-badge endpoint. This issue arises from inadequate access control, potentially leading to unauthorized privilege escalation and impersonation of administrative roles.

Impact

Exploitation of this vulnerability could result in unauthorized users gaining administrative privileges, allowing them to impersonate staff members and possibly misuse those privileges within the application.

Remediation

Users can upgrade to Flag Forge version 2.2.0, which addresses this vulnerability by implementing proper authentication and authorization checks on badge assignment endpoints. Instructions for updating can be found in the Flag Forge repository.