Overview
CVE-2025-65033 identifies a high-severity authorization vulnerability in Rallly, an open-source scheduling and collaboration tool. Specifically, versions prior to 4.5.4 contain a flaw that allows any authenticated user to pause or resume any poll, regardless of whether they are the poll’s owner. This is due to insufficient authorization checks when handling poll management actions.
Technical Details
The vulnerability stems from the fact that Rallly uses only the public `pollId` to identify polls when processing pause and resume requests. The system fails to verify that the user initiating the action is actually the poll owner. This lack of validation means an attacker, after simply authenticating to the Rallly platform, can manipulate the state of any poll by knowing its `pollId`. The vulnerability resides within the poll management functionality related to the pause and resume actions.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 8.1, indicating a high severity. Here’s a breakdown:
- CVSS Score: 8.1
- Vector String: (This is a hypothetical string based on the description – actual string depends on NIST analysis) AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
- Explanation: The vulnerability is network accessible (AV:N), requires low attack complexity (AC:L), and only requires low privileges (PR:L). User interaction is not required (UI:N), and the scope is unchanged (S:U). The impact to integrity (I:H) and availability (A:H) are high because an attacker can disrupt and manipulate polls. Confidentiality is not directly impacted (C:N).
Possible Impact
The exploitation of CVE-2025-65033 can lead to significant disruption and a loss of trust in the Rallly platform. Specifically, attackers can:
- Disrupt ongoing polls: By pausing critical polls, attackers can prevent users from scheduling important events.
- Manipulate poll results: While not directly altering votes, pausing and resuming polls at strategic times could influence participation and outcomes.
- Cause denial-of-service (DoS): Repeated pausing and resuming of polls could strain server resources, leading to a temporary denial-of-service for users.
- Damage reputation: The inability to rely on Rallly for accurate scheduling can damage the reputation of organizations using the platform.
Mitigation and Patch Steps
The vulnerability has been addressed in Rallly version 4.5.4. It is strongly recommended that all users upgrade to this version or a later version as soon as possible.
- Upgrade Rallly: The primary mitigation is to upgrade your Rallly installation to version 4.5.4 or later. Follow the official Rallly upgrade instructions.
- Verify User Privileges (Post-Upgrade): After upgrading, verify that the implemented fix correctly checks user ownership before allowing pause/resume actions on polls.
