CVE-2025-65030

Name of the Vulnerable Software and Affected Versions Rallly versions prior to 4.5.4

Description An authorization flaw exists in the comment deletion functionality of Rallly, an open-source scheduling and collaboration tool. Authenticated users can delete comments belonging to other users, including administrators and poll owners. The issue stems from insufficient validation when deleting comments via the API. The deletion process relies only on the comment ID (comment id) and does not verify user ownership or permissions. The vulnerable API endpoint is '/comments/{id}/delete'.

Recommendations Update to version 4.5.4 or later.