CVE-2025-65032

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-65032

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65032.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-65032

Aliases

GHSA-q9m7-chfx-43xw

Published

2025-11-19T17:26:09.648Z

Modified

2026-04-02T13:00:32.945457Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Rallly Has an IDOR Vulnerability in Participant Rename Function Allows Unauthorized Modification of Other Users’ Names

Details

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the participantId parameter in a rename request, an attacker can modify another user’s name, violating data integrity and potentially causing confusion or impersonation attacks. This issue has been patched in version 4.5.4.

Database specific

{
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65032.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/lukevella/rallly

Affected ranges

Type: GIT
Repo: https://github.com/lukevella/rallly
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0bc349040885ba48ac02ce386140084b0d847a9a

Affected versions

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.10.0

v2.11.0

v2.11.1

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.3.0

v2.3.1

v2.4.0

v2.4.1

v2.5.0

v2.5.1

v2.6.0

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.9.0

v2.9.1

v2.9.2

v3.*

v3.0.0

v3.0.0-rc1

v3.0.1

v3.1.0

v3.1.1

v3.10.0

v3.10.1

v3.11.0

v3.11.1

v3.11.2

v3.2.0

v3.2.1

v3.3.0

v3.4.0

v3.4.1

v3.4.2

v3.5.0

v3.5.1

v3.6.0

v3.6.1

v3.7.0

v3.8.0

v3.8.1

v3.9.0

v3.9.1

v3.9.1-fork.1

v3.9.1-fork.2

v3.9.1-fork.3

v3.9.1-fork.4

v3.9.1-fork.5

v3.9.1-fork.6

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.1.0

v4.1.1

v4.1.2

v4.2.0

v4.3.0

v4.3.1

v4.4.0

v4.4.1

v4.5.0

v4.5.1

v4.5.2

v4.5.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-65032.json"