CVE
CVE-2025-65030
Rallly Improper Authorization in Comment Deletion Endpoint Allows Unauthorized Comment Removal
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the comment deletion API allows any authenticated user to delete comments belonging to other users, including poll owners and administrators. The endpoint relies solely on the comment ID for deletion and does not validate whether the requesting user owns the comment or has permission to remove it. This issue has been patched in version 4.5.4.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.1
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
C
H
U
-
Related Resources
No items found.
References
https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/65xxx/CVE-2025-65030.json, https://github.com/lukevella/rallly/releases/tag/v4.5.4, https://github.com/lukevella/rallly/security/advisories/GHSA-4j32-25f9-qgfm, https://nvd.nist.gov/vuln/detail/CVE-2025-65030
Basic Information
Ecosystem
