Rallly Improper Authorization Vulnerability in Comment Creation Endpoint Allows User Impersonation

An improper authorization vulnerability has been identified in Rallly, an open-source scheduling and collaboration tool, prior to version 4.5.4. The issue allows authenticated users to impersonate any other user by modifying the authorName field in API requests to the comment creation endpoint. This vulnerability enables attackers to post comments under various usernames, including those of privileged users such as administrators. Such actions could mislead other users and facilitate phishing or social engineering attacks.

Impact

Exploitation of this vulnerability allows for user impersonation, where an attacker can post comments as if they were another user, potentially an administrator or a poll owner. This could be used to distribute phishing links or malicious content under a trusted identity, damaging the platform's integrity and user trust.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and participate in a poll. Intercept the comment submission request and modify the authorName field to impersonate another user, such as an admin. Forward the modified request, and the comment will be posted successfully under the impersonated username.

Remediation

Users are advised to update to Rallly version 4.5.4 or later, where this vulnerability has been patched.