| 제목 | lukevella rallly 4.7.5 DOM-Based XSS, Open Redirect |
|---|
| 설명 | A DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Rallly's reset password functionality. The application improperly trusts a URL parameter (redirectTo). An attacker can craft a malicious link that, when opened and interacted with by a user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft or internal network pivoting.
--
Note to moderator:
To quote the maintainer: "That said, due to the low exploitability I'm treating this as a low-severity code hygiene fix and don't think a CVE or public advisory is warranted here." I believe this is an invalid assumption for not assigning a CVE or public advisory. At best, they want to save face and reduce noise, but I think this is still a risk, even if it's low. Thus, I think a CVE/public advisory should be published for this.
At the time of writing, v4.7.5 has not been released yet. But by the time this vuln is reviewed, you can double check their releases to see if it has been published.
CVD via GHSA with maintainer response: https://gist.github.com/TrebledJ/3251a8ecdf79d19739fd466edbcb38f9
CVD Report (originally on GHSA but it was closed, so I mirrored it on a secret GitHub Gist): https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c
PR Fix, merged on Mar 11, 2026: https://github.com/lukevella/rallly/pull/2280
Thanks. |
|---|
| 원천 | ⚠️ https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c |
|---|
| 사용자 | trebledj (UID 94356) |
|---|
| 제출 | 2026. 03. 24. PM 05:42 (25 날 ago) |
|---|
| 모더레이션 | 2026. 04. 17. AM 09:30 (24 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 358037 [lukevella rallly 까지 4.7.4 Reset Password reset-password-form.tsx redirectTo 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|