Vulnerability Description
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rallly | Rallly | < 4.5.4 |
Related Weaknesses (CWE)
References
- https://github.com/lukevella/rallly/releases/tag/v4.5.4Release Notes
- https://github.com/lukevella/rallly/security/advisories/GHSA-hhfc-6gq7-rrpmExploitThird Party Advisory
FAQ
What is CVE-2025-65031?
CVE-2025-65031 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other ...
How severe is CVE-2025-65031?
CVE-2025-65031 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-65031?
Check the references section above for vendor advisories and patch information. Affected products include: Rallly Rallly.