Rallly Poll Management Authorization Flaw Allows Disruption of Ongoing Polls

An authorization vulnerability has been identified in Rallly, an open-source scheduling and collaboration tool, prior to version 4.5.4. This flaw allows any authenticated user to pause or resume any poll, regardless of ownership. The issue arises because the system only verifies the public poll ID without checking if the user is the poll owner. Consequently, users can interfere with polls created by others, disrupting the application's functionality. The vulnerability has been patched in version 4.5.4.

Impact

Exploitation of this vulnerability allows any logged-in user to pause or resume polls created by others, disrupting ongoing polls and manipulating availability. This unauthorized access to poll management can lead to significant interference in collaborative scheduling activities.

Reproduction

To reproduce this vulnerability, an authenticated user can intercept a legitimate request to pause or resume a poll using a proxy tool. After modifying the poll ID to that of a poll owned by another user, the altered request can be forwarded to the server. The absence of authorization checks will allow the action to be executed, pausing or resuming the targeted poll.

Remediation

Users are advised to upgrade to Rallly version 4.5.4 or later, where this vulnerability has been patched.