CVE-2025-47781

Name of the Vulnerable Software and Affected Versions: Rallly versions up to and including 3.22.1

Description: The issue concerns the token-based authentication mechanism in Rallly, an open-source scheduling and collaboration tool. When a user attempts to log in, a 6-digit code is sent to their email address to complete the authentication. However, this token has weak entropy and lacks brute force protection, making it possible for an unauthenticated attacker with knowledge of a valid email address to successfully brute force the token within 15 minutes and take over the account. All users of the Rallly application are impacted, as long as an attacker knows the user's email address. To make the authentication mechanism safe, the token would need to be assigned a complex, high-entropy value and ideally rate limiting the "/api/auth/callback/email" endpoint.

Recommendations: As a temporary workaround, consider rate limiting the /api/auth/callback/email endpoint to further make brute force attempts unreasonable within the 15 minutes time. At the moment, there is no information about a newer version that contains a fix for this vulnerability.