Overview A high-severity vulnerability, identified as CVE-2025-65034, has been discovered in Rallly, an open-source scheduling and collaboration tool. This vulnerability allows authenticated users to reopen finalized polls belonging to other users, leading to potential disruption and data integrity issues. Immediate action is recommended to mitigate this risk. Technical Details The vulnerability stems from improper authorization checks within the Rallly application. Specifically, any authenticated user can manipulate the pollId parameter to target and reopen finalized polls created by other users. This bypasses intended access controls and enables unauthorized modification of poll settings. This flaw affects versions prior to 4.5.4. The fix…
-
-
Overview CVE-2025-65033 identifies a high-severity authorization vulnerability in Rallly, an open-source scheduling and collaboration tool. Specifically, versions prior to 4.5.4 contain a flaw that allows any authenticated user to pause or resume any poll, regardless of whether they are the poll’s owner. This is due to insufficient authorization checks when handling poll management actions. Technical Details The vulnerability stems from the fact that Rallly uses only the public `pollId` to identify polls when processing pause and resume requests. The system fails to verify that the user initiating the action is actually the poll owner. This lack of validation means an…
-
Overview CVE-2025-65032 describes an Insecure Direct Object Reference (IDOR) vulnerability found in Rallly, an open-source scheduling and collaboration tool. This flaw, present in versions prior to 4.5.4, allowed any authenticated user to modify the display names of other participants within polls, regardless of whether they were an administrator or the poll’s owner. By manipulating the participantId parameter in a rename request, malicious users could potentially cause confusion, data integrity issues, or even conduct impersonation attacks. Technical Details The vulnerability resides in the lack of proper authorization checks when processing requests to rename participants in a poll. The application failed to…
-
Overview CVE-2025-65031 is a medium severity vulnerability affecting Rallly, an open-source scheduling and collaboration tool. This improper authorization flaw allows authenticated users to post comments under the guise of other users, including administrators. This could lead to misinformation, phishing attacks, and social engineering within your Rallly instance. This vulnerability has been addressed in Rallly version 4.5.4. We strongly recommend upgrading to this version immediately. Technical Details The vulnerability resides in the comment creation endpoint of the Rallly API. Specifically, the authorName field in the API request is not properly validated. An authenticated user can modify this field to impersonate any…
-
Overview CVE-2025-65030 describes a high-severity authorization vulnerability affecting Rallly, an open-source scheduling and collaboration tool. Prior to version 4.5.4, this flaw allows any authenticated user to delete comments created by other users, including those belonging to poll owners and administrators. This unauthorized deletion is possible due to insufficient authorization checks in the comment deletion API. Technical Details The vulnerability lies in the Rallly comment deletion API endpoint. The endpoint responsible for deleting comments uses only the comment ID to identify the comment to be removed. Crucially, it does not validate whether the user making the request is the owner of…
-
Overview CVE-2025-65029 is a high-severity security vulnerability affecting Rallly, an open-source scheduling and collaboration tool. Specifically, it is an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to delete participants from polls without proper authorization. This flaw can lead to unauthorized removal of users from polls, potentially disrupting scheduled events and compromising data integrity. Technical Details The vulnerability exists because the endpoint responsible for deleting participants relies solely on the participant ID to authorize the deletion request. No verification is performed to ensure that the user initiating the deletion actually owns or has the permission to manage…
-
Published: 2025-11-19T18:15:50.203 Overview CVE-2025-65028 describes an Insecure Direct Object Reference (IDOR) vulnerability found in Rallly, an open-source scheduling and collaboration tool. This vulnerability allows any authenticated user to modify other participants’ votes in polls without proper authorization. This poses a significant risk to the integrity of poll results and overall data integrity within the application. Technical Details Prior to version 4.5.4, Rallly’s backend relied solely on the participantId parameter to identify which votes to update. Crucially, it lacked proper verification of ownership or poll permissions. An attacker could exploit this by intercepting and modifying network requests to change the participantId…
-
Overview CVE-2025-65026 describes a template literal injection vulnerability found in esm.sh, a nobuild content delivery network (CDN) for modern web development. This vulnerability, present in versions prior to 136, allows attackers to inject malicious JavaScript code into CSS files that are processed and served by the CDN. By crafting specially designed CSS files containing JavaScript injection payloads, attackers can achieve Cross-Site Scripting (XSS) in browsers and potentially Remote Code Execution (RCE) in Electron applications that rely on the vulnerable CDN. Technical Details The vulnerability lies in the CSS-to-JavaScript module conversion feature of esm.sh. When a CSS file is requested with…
-
A critical security vulnerability, identified as CVE-2025-65021, has been discovered in Rallly, a popular open-source scheduling and collaboration tool. This vulnerability could allow unauthorized users to finalize polls, potentially leading to significant disruptions and data integrity issues. If you are using Rallly, immediate action is required to mitigate this risk. Overview Rallly is an open-source web application designed for scheduling events and facilitating collaboration. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability existed in the poll finalization feature. This flaw allows any authenticated user to finalize a poll that they do not own. Technical Details The vulnerability…
-
Overview CVE-2025-65020 is a Medium severity security vulnerability affecting Rallly, an open-source scheduling and collaboration tool. This vulnerability, classified as an Insecure Direct Object Reference (IDOR), allows authenticated users to duplicate polls they do not own. By manipulating the `pollId` parameter in the `/api/trpc/polls.duplicate` endpoint, attackers can bypass access controls and clone private or administrative polls. This issue has been addressed in Rallly version 4.5.4. Technical Details The vulnerability lies within the `polls.duplicate` endpoint of the Rallly API. Specifically, the application fails to properly validate whether the authenticated user has the necessary permissions to duplicate a poll before proceeding with…