Описание
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability in the poll duplication endpoint (/api/trpc/polls.duplicate) allows any authenticated user to duplicate polls they do not own by modifying the pollId parameter. This effectively bypasses access control and lets unauthorized users clone private or administrative polls. This issue has been patched in version 4.5.4.
Ссылки
- Release Notes
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 4.5.4 (исключая)
cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:*
EPSS
Процентиль: 17%
0.00054
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-285
EPSS
Процентиль: 17%
0.00054
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-285