CVE-2025-65033
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rallly | rallly | to 4.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authorization flaw in Rallly's poll management feature prior to version 4.5.4. It allows any authenticated user to pause or resume any poll, even if they do not own it. The system identifies polls only by a public pollId and does not verify if the user performing the action is the poll owner, enabling unauthorized users to disrupt polls created by others.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to disrupt the availability and integrity of polls within the Rallly application. Any authenticated user can pause or resume polls they do not own, potentially causing loss of availability and integrity of poll data and disrupting collaboration or scheduling activities.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Rallly to version 4.5.4 or later, where the authorization flaw in the poll management feature has been patched. Until the upgrade is applied, restrict authenticated user access to poll management features to trusted users only to minimize the risk of unauthorized poll disruption.