Rallly Improper Authorization Allows Reopening of Any Finalized Poll via...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4.

Basic Information

ID CVE-2025-65034

Source GitHub_M

Published Nov 19, 2025 at 17:26

Modified Nov 19, 2025 at 20:20

Affected Product

Vendor lukevella

Product rallly

Version < 4.5.4

Affected Versions lukevella rallly < 4.5.4

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4.",
    "published": "2025-11-19T17:26:59.038Z",
    "modified": "2025-11-19T20:20:04.793Z",
    "type": "cve",
    "title": "Rallly Improper Authorization Allows Reopening of Any Finalized Poll via Public pollId",
    "source": "GitHub_M",
    "references": "https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc\nhttps://github.com/lukevella/rallly/releases/tag/v4.5.4",
    "id": "CVE-2025-65034",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "lukevella rallly < 4.5.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rallly",
    "version": "< 4.5.4",
    "vendor": "lukevella",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Rallly Improper Authorization Allows Reopening of Any Finalized Poll via Public pollId_CVE-2025-65034