CVE-2025-65030
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rallly | rallly | to 4.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade Rallly to version 4.5.4 or later, as this version contains the patch that fixes the authorization flaw in the comment deletion API.
Can you explain this vulnerability to me?
This vulnerability is an authorization flaw in Rallly's comment deletion API prior to version 4.5.4. It allows any authenticated user to delete comments made by other users, including those by poll owners and administrators, because the API only checks the comment ID and does not verify if the user has permission to delete that comment.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized deletion of comments by users who should not have permission, potentially disrupting collaboration, deleting important information, and undermining trust in the platform's integrity and security.