CTFd 3.7.2 has been released with a security fix for a vulnerability where an attacker could extract flags from CTFd provided that an admin interacted with a malicious page.
To mitigate the above vulnerability, CTFd will no longer return 404s in paginated listing pages and API endpoints.
For example, previously when searching for a user whose name did not exist, if you attempted to browse to the next page, you would receive a 404. Now instead of receiving a 404 you will receive a 200 response with information indicating that a result could not be found.
Similar behavior will also occur with the API. Instead of a 404 response, the API will now respond with a 200 and an empty listing. These were the intended behaviors of the pages and endpoints so we feel that this API change is acceptable given the security risk associated.
As a defense in depth measure, CTFd will also now add the Cross-Origin-Opener-Policy response header to all responses with the default value of same-origin-allow-popups. This header can be controlled with the newly added CROSS_ORIGIN_OPENER_POLICY configuration.
Due to the significant amount of admin interaction needed with a malicious page, custom security measures in-place, along with an audit of our traffic logs, we do not believe that any Hosted CTFd customer has been affected by this vulnerability.
For self-hosted users/customers you can determine if you were affected by looking through your logs for significant traffic to the /admin/submissions or /api/v1/submissions endpoints.
If you are unable to easily update your CTFd instance, you can configure your reverse proxy (e.g. nginx) to add the Cross-Origin-Opener-Policy response header with a value of same-origin-allow-popups.
v3.7.2 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from Github.