CVE-2025-65034

EUVD-2025-198231
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
GitHub_MCNA
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
ralllyrallly
𝑥
< 4.5.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/lukevella/rallly/releases/tag/v4.5.4
https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc
https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc