Rallly Has Unauthorized Poll Finalization via Insecure Direct Object Reference...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users’ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.

AI Analysis

Insecure Direct Object Reference (IDOR) vulnerability in the poll finalization feature, allowing unauthorized users to finalize polls and convert them into events

Basic Information

ID CVE-2025-65021

Source GitHub_M

Published Nov 19, 2025 at 17:24

Modified Nov 19, 2025 at 21:13

Affected Product

Vendor lukevella

Product rallly

Version < 4.5.4

Affected Versions lukevella rallly < 4.5.4

CWE Classification

CWE-285 CWE-862 CWE-639

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor lukevella

Product Rallly

Version < 4.5.4

References

{
    "lastseen": "",
    "description": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users\u2019 polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.",
    "published": "2025-11-19T17:24:31.084Z",
    "modified": "2025-11-19T21:13:27.620Z",
    "type": "cve",
    "title": "Rallly Has Unauthorized Poll Finalization via Insecure Direct Object Reference (IDOR)",
    "source": "GitHub_M",
    "references": "https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8\nhttps://github.com/lukevella/rallly/releases/tag/v4.5.4",
    "id": "CVE-2025-65021",
    "bulletinFamily": "",
    "cwe": [
        "CWE-285",
        "CWE-862",
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "lukevella rallly < 4.5.4",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rallly",
    "version": "< 4.5.4",
    "vendor": "lukevella",
    "ai_description": "Insecure Direct Object Reference (IDOR) vulnerability in the poll finalization feature, allowing unauthorized users to finalize polls and convert them into events",
    "ai_severity": "Critical",
    "ai_vendor": "lukevella",
    "ai_product": "Rallly",
    "ai_version": "< 4.5.4",
    "ai_score": 9.1
}

Rallly Has Unauthorized Poll Finalization via Insecure Direct Object Reference (IDOR)_CVE-2025-65021