Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1.
After user logout, the application does not properly invalidate their session on the server side (CWE-613 — insufficient session expiration). A previously authenticated user can still send requests to protected endpoints, such as /api/profile, and receive server responses. Additionally, CSRF tokens remain active after logout (CWE-384 — session persistence), which may allow performing unauthorized actions on behalf of the logged-out user.
An attacker or person with access to an old session token can continue accessing protected data and perform unauthorized operations in the application even after the victim's formal logout.
FlagForge should be updated to version 2.3.1, in which the issue has been fixed. Patch available in the manufacturer's GitHub repository (commit 304b6c82a4f76871b336404b91e5cdd8a7d7d5bd).
Flagforge FlagForge versions 2.2.0 to before 2.3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFlagforge
APPFlagforge2.2 – 2.3.1 (bez)
Related vulnerabilities
Flagforge: brak uwierzytelnienia w endpointach szablonów odznak
Brak kontroli dostępu w Flag Forge — privilege escalation przez endpoint przypisywania odznak
Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of ...
Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpo...
Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET ...