Rallly Information Disclosure Vulnerability in Polls Participants API

An information disclosure vulnerability exists in Rallly, an open-source scheduling and collaboration tool, prior to version 4.5.6. The vulnerability allows participant details, including names and email addresses, to be exposed through the '/api/trpc/polls.get,polls.participants.list' endpoint. This occurs even when Pro privacy features are enabled, bypassing intended controls that should prevent participants from accessing each other's personal information. The issue arises because the server does not enforce privacy restrictions on this API route, leaving sensitive data vulnerable to any participant in a poll.

Impact

This vulnerability undermines user privacy by exposing sensitive participant information, such as names and email addresses, to other users in the same poll. This breach of privacy could have legal implications under data protection regulations, such as GDPR, and creates risks for users related to phishing or social engineering attacks.

Reproduction

To reproduce this vulnerability, join a poll as a normal participant (User B) where the 'Hide participant details' option is disabled. Then, intercept the API request to '/api/trpc/polls.get,polls.participants.list'. The response will include the names and email addresses of all participants, including those who have Pro privacy features enabled.

Remediation

Users can update to Rallly version 4.5.6 or later, where this vulnerability has been patched.