Metrics
Affected Vendors & Products
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-32560 | Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available. |
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Thu, 30 Oct 2025 14:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Flagforge
Flagforge flagforge |
|
| CPEs | cpe:2.3:a:flagforge:flagforge:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Flagforge
Flagforge flagforge |
Wed, 08 Oct 2025 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Flagforgectf
Flagforgectf flagforge |
|
| Vendors & Products |
Flagforgectf
Flagforgectf flagforge |
Mon, 06 Oct 2025 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 06 Oct 2025 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available. | |
| Title | FlagForge Allows Unauthenticated Badge Template API Access | |
| Weaknesses | CWE-200 CWE-284 CWE-306 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-10-06T17:15:50.147Z
Reserved: 2025-09-30T19:43:49.901Z
Link: CVE-2025-61777
Updated: 2025-10-06T17:00:13.249Z
Status : Analyzed
Published: 2025-10-06T17:16:08.127
Modified: 2025-10-30T13:53:37.307
Link: CVE-2025-61777
No data.
OpenCVE Enrichment
Updated: 2025-10-08T13:38:52Z
EUVD