Rallly Improper Authorization Vulnerability Allows Unauthorized Reopening of Finalized Polls

An improper authorization vulnerability has been identified in Rallly, an open-source scheduling and collaboration tool, prior to version 4.5.4. This vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. The issue arises because the application fails to verify that the user attempting to reopen a poll is the poll owner. As a result, an authenticated user can intercept a request to reopen their own poll, alter the pollId to reference another user's poll, and successfully reopen it. This vulnerability can disrupt events managed by other users and compromise the availability and integrity of poll data.

Impact

Exploitation of this vulnerability allows unauthorized users to reopen finalized polls belonging to other users, disrupting events and undermining the integrity of the poll data. This vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue.

Reproduction

To reproduce this vulnerability, an authenticated user (User B) can intercept a legitimate request to reopen a finalized poll created by another user (User A). By modifying the pollId parameter to reference User A's poll, User B can successfully reopen it, bypassing authorization checks.

Remediation

Users are advised to upgrade to Rallly version 4.5.4 or later, where this vulnerability has been patched.