| عنوان | lukevella rallly 4.7.5 DOM-Based XSS, Open Redirect |
|---|
| الوصف | A DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Rallly's reset password functionality. The application improperly trusts a URL parameter (redirectTo). An attacker can craft a malicious link that, when opened and interacted with by a user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft or internal network pivoting.
--
Note to moderator:
To quote the maintainer: "That said, due to the low exploitability I'm treating this as a low-severity code hygiene fix and don't think a CVE or public advisory is warranted here." I believe this is an invalid assumption for not assigning a CVE or public advisory. At best, they want to save face and reduce noise, but I think this is still a risk, even if it's low. Thus, I think a CVE/public advisory should be published for this.
At the time of writing, v4.7.5 has not been released yet. But by the time this vuln is reviewed, you can double check their releases to see if it has been published.
CVD via GHSA with maintainer response: https://gist.github.com/TrebledJ/3251a8ecdf79d19739fd466edbcb38f9
CVD Report (originally on GHSA but it was closed, so I mirrored it on a secret GitHub Gist): https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c
PR Fix, merged on Mar 11, 2026: https://github.com/lukevella/rallly/pull/2280
Thanks. |
|---|
| المصدر | ⚠️ https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c |
|---|
| المستخدم | trebledj (UID 94356) |
|---|
| ارسال | 24/03/2026 05:42 PM (1 شهر منذ) |
|---|
| الاعتدال | 17/04/2026 09:30 AM (24 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 358037 [lukevella rallly حتى 4.7.4 Reset Password reset-password-form.tsx redirectTo البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|