Rallly Comment Deletion API Authorization Flaw Allows Unauthorized Comment Removal

An authorization vulnerability has been identified in Rallly, an open-source scheduling and collaboration tool, prior to version 4.5.4. The issue allows any authenticated user to delete comments belonging to other users, including those of poll owners and administrators. The vulnerability arises because the comment deletion API endpoint only verifies the comment ID, without checking if the user requesting the deletion owns the comment or has the necessary permissions. This flaw has been addressed in version 4.5.4.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of comments from any user, including poll owners and administrators. This not only removes content but also disrupts the integrity of the application's data, creating potential for misuse by silencing key participants in polls.

Reproduction

To reproduce this vulnerability, log into Rallly as an authenticated user. Use the comment deletion API endpoint, replacing the comment ID with that of a comment belonging to another user, such as a poll owner or administrator. The request will be processed successfully without any authorization checks, allowing the comment to be deleted.

Remediation

Users are advised to upgrade to Rallly version 4.5.4 or later, where this vulnerability has been patched.