### [CVE-2024-11716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11716)
![](https://img.shields.io/static/v1?label=Product&message=CTFd&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=3.7.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-837%20Improper%20Enforcement%20of%20a%20Single%2C%20Unique%20Action&color=brightgreen)

### Description

While assignment of a user to a team (bracket) in CTFd  should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing.This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by  pull request 2636 https://github.com/CTFd/CTFd/pull/2636  included in 3.7.5 release.

### POC

#### Reference
- https://seclists.org/fulldisclosure/2024/Dec/21

#### Github
No PoCs found on GitHub currently.