CVE-2025-61777 in flagForgeinformación

Resumen

por MITRE • 2025-10-06

Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Responsable

GitHub M

Reservar

2025-09-30

Divulgación

2025-10-06

Moderación

aceptado

Artículo

VDB-327290

CPE

listo

EPSS

0.00427

KEV

no

Actividades

muy bajo

Fuentes

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!