| Title | lukevella rallly 4.7.5 DOM-Based XSS, Open Redirect |
|---|
| Description | A DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Rallly's reset password functionality. The application improperly trusts a URL parameter (redirectTo). An attacker can craft a malicious link that, when opened and interacted with by a user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft or internal network pivoting.
--
Note to moderator:
To quote the maintainer: "That said, due to the low exploitability I'm treating this as a low-severity code hygiene fix and don't think a CVE or public advisory is warranted here." I believe this is an invalid assumption for not assigning a CVE or public advisory. At best, they want to save face and reduce noise, but I think this is still a risk, even if it's low. Thus, I think a CVE/public advisory should be published for this.
At the time of writing, v4.7.5 has not been released yet. But by the time this vuln is reviewed, you can double check their releases to see if it has been published.
CVD via GHSA with maintainer response: https://gist.github.com/TrebledJ/3251a8ecdf79d19739fd466edbcb38f9
CVD Report (originally on GHSA but it was closed, so I mirrored it on a secret GitHub Gist): https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c
PR Fix, merged on Mar 11, 2026: https://github.com/lukevella/rallly/pull/2280
Thanks. |
|---|
| Source | ⚠️ https://gist.github.com/TrebledJ/0bd0494a28daaa16abb565b2cef4bd7c |
|---|
| User | trebledj (UID 94356) |
|---|
| Submission | 03/24/2026 17:42 (25 days ago) |
|---|
| Moderation | 04/17/2026 09:30 (24 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 358037 [lukevella rallly up to 4.7.4 Reset Password reset-password-form.tsx redirectTo cross site scripting] |
|---|
| Points | 20 |
|---|