CVE-2025-65029

Name of the Vulnerable Software and Affected Versions Rallly versions prior to 4.5.4

Description An insecure direct object reference (IDOR) issue exists in Rallly, allowing authenticated users to delete arbitrary participants from polls without proper ownership verification. The issue stems from the application relying solely on a participant ID to authorize deletions. This allows attackers to remove other users, including poll owners, from polls, impacting data integrity and availability. The vulnerable API endpoint allows deletion of participants based on the participant ID.

Recommendations Update to version 4.5.4 or later.