CVE-2025-65032
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rallly | rallly | to 4.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object Reference (IDOR) in Rallly versions prior to 4.5.4. It allows any authenticated user to change the display names of other participants in polls by manipulating the participantId parameter in a rename request, even if they are not an admin or the poll owner. This can lead to unauthorized modification of user names.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to alter the display names of other users in polls, which violates data integrity and can cause confusion or impersonation attacks. This may undermine trust in the system and disrupt collaboration.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Rallly to version 4.5.4 or later, where the issue has been patched.