A critical vulnerability has been identified in the Flag Forge Capture The Flag (CTF) platform, which fails to properly terminate user sessions. This flaw allows an attacker who has stolen a user's session token to maintain persistent access to the account, even after the legitimate user logs out or changes their password. Successful exploitation could lead to complete account takeover, unauthorized data access, and manipulation of the CTF environment.

The FlagForge web application contains a broken authentication and session management vulnerability. Specifically, the application fails to properly invalidate session identifiers upon user-initiated logout, password changes, or other security-sensitive events. An attacker who obtains a valid session token (e.g., through cross-site scripting, malware, or network sniffing) can reuse this token indefinitely to impersonate the victim. The application continues to honor the compromised session, granting the attacker the same level of access and privileges as the legitimate user.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can lead to significant business impact, including the complete compromise of user and administrator accounts. For a CTF platform, this could result in the theft of sensitive user information, leakage of challenge solutions, manipulation of scores, and disruption of competitions. If an administrator account is compromised, an attacker could gain full control over the platform, leading to severe reputational damage and loss of user trust.

Immediate Action: Apply the vendor-supplied security update to all instances of Flag Forge to upgrade to version 2.3.1 or later. After patching, it is crucial to manually invalidate all active user sessions to terminate any potentially hijacked sessions that may persist.

Proactive Monitoring: Monitor web application and server access logs for anomalous session activity. Specifically, look for multiple, concurrent logins for a single user account from geographically dispersed IP addresses, or session activity that continues after a logout event has been logged for that user.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Enforce very short session timeout periods to limit the window of opportunity for an attacker to use a stolen session token.
• Deploy a Web Application Firewall (WAF) with rules to detect and block suspicious session hijacking patterns.
• Enforce Multi-Factor Authentication (MFA) across all accounts to make initial session token theft more difficult.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) of this vulnerability and the high likelihood of exploitation, it is imperative that organizations patch all affected Flag Forge systems immediately. Although this CVE is not currently listed on the CISA KEV catalog, its high impact makes it a prime candidate for future inclusion. We strongly recommend prioritizing the deployment of the vendor's patch and subsequently hunting for any signs of existing compromise by reviewing logs for the indicators mentioned in the Proactive Monitoring section.