A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Rallly collaboration tool. This flaw allows any authenticated user to finalize polls created by other users, potentially converting them into events without authorization. This can lead to significant disruption of user workflows, compromise data integrity, and impact the availability of the scheduling service.

The vulnerability is an Insecure Direct Object Reference (IDOR) located in the poll finalization function. The application fails to perform an authorization check to verify that the user finalizing a poll is the actual owner of that poll. An attacker with any valid user account can exploit this by intercepting the network request for finalizing their own poll, and then modifying the pollId parameter to match the ID of a victim's poll. Upon sending the manipulated request, the server will process it and finalize the victim's poll, prematurely ending it and converting it into a scheduled event.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have a significant business impact by undermining the core functionality of the scheduling tool. An attacker could prematurely close important polls, create unauthorized events, and prevent legitimate decision-making processes from completing. This leads to a loss of data integrity (incorrect events are created), loss of availability (legitimate polls are closed), and can cause widespread confusion and operational disruption for users relying on the platform for coordination.

Immediate Action: Immediately upgrade all instances of Rallly to version 4.5.4 or later, which contains the patch for this vulnerability. Prioritize public-facing and business-critical deployments. After upgrading, review application logs for any signs of past exploitation.

Proactive Monitoring: Security teams should monitor application and web server logs for suspicious activity related to the poll finalization endpoint. Specifically, look for a high volume of finalization requests from a single user account targeting multiple different pollId values. Correlate user session information with poll ownership records to detect instances where a user finalizes a poll they do not own.

Compensating Controls: If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) rule to detect and block requests where a single user session attempts to finalize numerous polls in a short time frame. Restricting access to the application to trusted IP ranges can also temporarily reduce the attack surface until the patch can be applied.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the low complexity required for exploitation by any authenticated user, we strongly recommend that organizations apply the security update to version 4.5.4 immediately. This vulnerability poses a direct threat to the integrity and availability of the service. Although this CVE is not currently listed on the CISA KEV catalog, its high severity warrants urgent and prioritized remediation to prevent potential disruption.