CVE-2025-65028
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rallly | rallly | to 4.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an insecure direct object reference (IDOR) in Rallly before version 4.5.4. It allows any authenticated user to modify other participants' votes in polls without proper authorization because the backend only uses the participantId parameter to identify votes, without verifying ownership or permissions. This means an attacker can change poll results arbitrarily.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to alter poll results, compromising the integrity of the data. This could lead to misleading or manipulated outcomes in collaborative decision-making processes.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Rallly to version 4.5.4 or later, as this version contains the patch that fixes the insecure direct object reference (IDOR) vulnerability allowing unauthorized modification of poll votes.