Published: 2025-11-19T18:15:50.203
Overview
CVE-2025-65028 describes an Insecure Direct Object Reference (IDOR) vulnerability found in Rallly, an open-source scheduling and collaboration tool. This vulnerability allows any authenticated user to modify other participants’ votes in polls without proper authorization. This poses a significant risk to the integrity of poll results and overall data integrity within the application.
Technical Details
Prior to version 4.5.4, Rallly’s backend relied solely on the participantId parameter to identify which votes to update. Crucially, it lacked proper verification of ownership or poll permissions. An attacker could exploit this by intercepting and modifying network requests to change the participantId to that of another user, allowing them to alter their votes. This circumvents the intended authorization mechanism and allows for unauthorized manipulation of poll results. The flaw stems from a failure to properly validate that the user making the request is authorized to modify the data associated with the specified participantId.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-65028 a score of 6.5 (MEDIUM). This score reflects the potential for unauthorized data modification and the relative ease with which the vulnerability can be exploited. The CVSS vector likely includes factors such as the need for authentication and the limited scope of the impact (modification of specific poll votes).
Possible Impact
The exploitation of this IDOR vulnerability could lead to several negative consequences, including:
- Compromised Poll Results: Attackers can manipulate poll results to favor their desired outcomes.
- Loss of Trust: The integrity of the scheduling and collaboration process is undermined, leading to a loss of trust in the application.
- Data Integrity Issues: The vulnerability allows for the alteration of data, potentially impacting other dependent processes or decisions.
Mitigation and Patch Steps
The vulnerability has been patched in Rallly version 4.5.4. It is strongly recommended that all Rallly users upgrade to this version or a later version as soon as possible. The patch likely implements proper authorization checks to ensure that only the owner of a specific participant ID can modify the associated votes. To mitigate the risk before upgrading, consider limiting access to the Rallly instance to only trusted users, although this is not a foolproof solution.
