CVE-2025-65033
8.1
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Exploitability: 2.8 / Impact: 5.2
Source: security-advisories@github.com (Secondary)
Description
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.
Affected (1)
Related CWEs
CWE-285
Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
References (3)
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
ExploitVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitVendor Advisory
Timeline
No history available yet.