HIGH🇵🇱 Wersja polska

CVE-2025-65033

CVSS 8.1v3.1pub. 2025-11-19upd. 2025-11-24

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
  • Rallly

    APP
    Rallly
    < 4.5.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-65021CRITICAL9.1PL ✓ten sam produkt

IDOR w Rallly — nieautoryzowane finalizowanie ankiet innych użytkowników

CVE-2025-47781CRITICAL9.8PL ✓ten sam produkt

Rallly – brute force tokenu logowania umożliwia przejęcie konta

CVE-2025-66027HIGH7.1ten sam produkt

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure ...

CVE-2025-65030HIGH7.1ten sam produkt

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in t...

CVE-2025-65034HIGH8.1ten sam produkt

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization ...