CVE-2025-65033

Опубликовано: 19 нояб. 2025

Источник: nvd

CVSS3: 8.1

EPSS Низкий

Описание

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.

Ссылки

https://github.com/lukevella/rallly/releases/tag/v4.5.4
Release Notes
https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3
Exploit
Vendor Advisory
https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:*

Версия до 4.5.4 (исключая)

EPSS

Процентиль: 18%

0.00058

Низкий

8.1 High

CVSS3

Дефекты

CWE-285