CTFd 3.8.4 has been released with security fixes for two vulnerabilities.
The first vulnerability allows an attacker to cause partially controlled links to be served to other users. This could result in malicious JavaScript execution if the links are clicked.
The second vulnerability is an open redirect for users when registering or logging into an account via malicious crafted URLs. This could result in users being phished or otherwise tricked if a user fully logs in through one of those crafted URLs.
We recommend all CTFd users update their instance to v3.8.4.
If your CTFd instance cannot be easily updated, we recommend making the following temporary stop-gap measures:
-
Changing the
REVERSE_PROXYsetting of CTFd fromtrueto1,1,1,1,0 -
Adding a proxy configuration to remove the
nextquery parameter. For example in nginx:# Strip the `next` query parameter before proxying if ($arg_next) { return 301 $uri; }
v3.8.4 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from Github or by downloading the latest version of the Enterprise installer from their account at https://cloud.ctfd.io/.