CVE-2020-5290 - OpenCVE

In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ctfd	Rctf

Configuration 1 [-]

cpe:2.3:a:ctfd:rctf:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/redpwn/rctf/issues/147
https://github.com/redpwn/rctf/security/advisories/GHSA-p5fh-2vhw-fvpq

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-04-01T19:25:15

Updated: 2024-08-04T08:22:09.090Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5290

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-01T20:15:15.223

Modified: 2020-04-03T13:40:49.373

Link: CVE-2020-5290

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "rctf", "vendor": "redpwn", "versions": [{"status": "affected", "version": "< 2.3"}]}], "descriptions": [{"lang": "en", "value": "In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384: Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-01T19:25:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/redpwn/rctf/security/advisories/GHSA-p5fh-2vhw-fvpq"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/redpwn/rctf/issues/147"}], "source": {"advisory": "GHSA-p5fh-2vhw-fvpq", "discovery": "UNKNOWN"}, "title": "session fixation in rCTF", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5290", "STATE": "PUBLIC", "TITLE": "session fixation in rCTF"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "rctf", "version": {"version_data": [{"version_value": "< 2.3"}]}}]}, "vendor_name": "redpwn"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-384: Session Fixation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/redpwn/rctf/security/advisories/GHSA-p5fh-2vhw-fvpq", "refsource": "CONFIRM", "url": "https://github.com/redpwn/rctf/security/advisories/GHSA-p5fh-2vhw-fvpq"}, {"name": "https://github.com/redpwn/rctf/issues/147", "refsource": "MISC", "url": "https://github.com/redpwn/rctf/issues/147"}]}, "source": {"advisory": "GHSA-p5fh-2vhw-fvpq", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.090Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/redpwn/rctf/security/advisories/GHSA-p5fh-2vhw-fvpq"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/redpwn/rctf/issues/147"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5290", "datePublished": "2020-04-01T19:25:15", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.090Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ctfd:rctf:*:*:*:*:*:*:*:*", "matchCriteriaId": "92D682E4-811E-49EF-A74D-F434C9831458", "versionEndExcluding": "2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3."}, {"lang": "es", "value": "En RedpwnCTF versiones anteriores a 2.3, se presenta una vulnerabilidad de fijaci\u00f3n de sesi\u00f3n explotable por medio del hash \"#token=$ssid\" cuando se realiza una petici\u00f3n al endpoint \"/verify\". Un equipo atacante podr\u00eda potencialmente robar flags, por ejemplo, explotando una carga \u00fatil de tipo XSS almacenado en un desaf\u00edo CTF para que los equipos v\u00edctimas que resuelvan el desaf\u00edo, sin saberlo (y en contra de su voluntad) hayan iniciado sesi\u00f3n en la cuenta team's del atacante. Entonces, el atacante puede conseguir puntos y valores a las espaldas de las v\u00edctimas. Esto est\u00e1 parcheado en versi\u00f3n 2.3."}], "id": "CVE-2020-5290", "lastModified": "2020-04-03T13:40:49.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-04-01T20:15:15.223", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/redpwn/rctf/issues/147"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/redpwn/rctf/security/advisories/GHSA-p5fh-2vhw-fvpq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-384"}], "source": "security-advisories@github.com", "type": "Secondary"}]}